Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
From: ronald () GRAFIX NL (Ronald Huizer)
Date: Sat, 4 Mar 2000 18:55:43 -0000


No. getenv() fails because *envp, argc, **argv are AFTER
pathname[]
buffer and gets overwritten.

Of course, it is still exploitable.

It doesn't quite look that way to me.
The overflow takes place after the setuid(getuid()) call has
been made. Which renders execution of shellcode useless to
us.

The first overflow that is encountered in this way is NOT
the strpcy(pathname, disk) but the realpath() function which
expects pathname to be of size MAXPATHLEN instead of a mere
255 bytes. After this the buffer is overflown again by the
strcpy() call.

After patching pathname to be of MAXPATHLEN size the buffer
still gets overflown by the strcpy() function which should
be made to a strncpy() to function properly.

Full patch included (not a a workaround that just chokes in
a \0 at the end of char *disk).

--- main.c.old  Fri Jan 21 11:17:41 2000
+++ main.c      Sat Mar  4 19:42:13 2000
@@ -119,7 +119,7 @@
 #ifdef __linux__
        errcode_t retval;
        char directory[NAME_MAX];
-       char pathname[NAME_MAX];
+       char pathname[MAXPATHLEN];
 #endif
        time_t tnow;
        char labelstr[LBLSIZE];
@@ -363,7 +363,7 @@
 #ifdef HAVE_REALPATH
                if (realpath(disk, pathname) == NULL)
 #endif
-                       strcpy(pathname, disk);
+                       strncpy(pathname, disk, MAXPATHLEN);
                dt = fstabsearchdir(pathname, directory);
                if (dt != NULL) {
                        char name[MAXPATHLEN];

Cheers,

Ronald Huizer - ronald () grafix nl


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]