mailing list archives
Problems with locale routines in general...
From: tqbf () enteract com (Thomas H. Ptacek)
Date: Mon, 3 Feb 1997 09:43:33 -0600
I'm sure I'm rehashing something that the developers are already aware of
(FreeBSD -current is not vulnerable to this problem), but from the looks
of it, anyone who installed FreeBSD 2.2 prior to December of 1996 is
vulnerable to locale routine problems similar to the one that afflicts
crt0 start() in FreeBSD 2.1.x.
Specifically, I'm able to cause a shell to be executed from any program
that calls setlocale() in FreeBSD 2.2. I tested this out with dmesg, which
promptly gave me an SGID "kmem" shell. Note that programs that shed
privilege using saved-set UIDs are vulnerable to this problem as well, as
the machine code used to take over the affected programs can easily
The locale routines were patched at the end of 1996 to cause PATH_LOCALE
(the environment variable who's contents are trampling all over the stack
frames of locale routines) to be ignored if the euid doesn't match the
uid; the patch also avoids the stack overrun by allocating space for the
variable on the heap with strdup().
People running FreeBSD revisions that don't have this patch will want to
make sure they've applied these patches as soon as possible. Vulnerability
can easily be assessed by setting LC_CTYPE, filling PATH_LOCALE with 2000
random characters, and attempting to run /sbin/dmesg (which will segfault
if the problem exists).
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"I'm standing alone, I'm watching you all, I'm seeing you sinking."