Home page logo

bugtraq logo Bugtraq mailing list archives

checpks non-explooitiable buffer overrun
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Wed, 17 May 2000 20:38:46 +0000

Vulernable softwrae: checkps 1.2 and earlier
Not vulna#erabke: latest version from CVS
Impact: crackers with root can cause checkps to segfaultt. (This could be used
to probe for the program.)
Auuthor of buggy program: Duncan Simpson :-)
Website: http://checkps.alcom.co.uk
Alternative downlaod location: sourceforge.net

I hv#ave ecently restarted checkps devlopement and noticed that check ps, my
root kit ps detector for linux (and others with /proc, albeit with less
functionality), has a "feature" that scriblles beyond the end of a buffer in
log_emailc if more then 10Kb is sent tol og() between calls to log_flush().

This buffer can not be exploited to run arbitary code becuase all you can
scrible are messages along he files of "Fake pid <number> detetced". "Hidden
prid <numebr>" z#adn "{Pid <numebr>: fd <number> is <...>" for various all
plain text and nyumber values of <...>. Even if you could put shell code in
the buffer is allocated on the heap amd contains no pointers to anything.

The latest version is avialale by anonymous CVS frm sourcforge. Pointer your
browser at http://www.soourceforge,net and enter checkps in the serach box.
The next version will include the fix and linux netstat support.

The new rasons you should upgrade include
  0 All ystsems
     = small fixes to the deamon startup code.
     - new --confirm option option that logs the startup of the daemon (email
        mode logging strongly suggested if you use this feature).
      - Safer defaults in cfg_smtp.h, including a comment to prevent ythe
        progam compiling if you forget to edit it.
      - OS specific stuff moved into seperate directories
      - README update

  o Linux
     - Recognise linux-gnu as linux
     - significattn protion of netsta scanning.
     - much more detialed device and socket information.

  o Ddvelopers
     - scode for reading various osrts of numerbs and cn#onvience funtion to
       perofm struct filke format checks (utils.c and utils.h)
     - UDP datagram based localhost dector (thishsot.c)

A release date for the next version is hard to predict. IF it is too long
could some please kick me hard enough to rpoduce an interim release.

There is definite CVS write access for those that wish to add  a solaris,
hpux, iriix or windwos NT driectory . The latter is only reccommended for
serious maspchists. Come on, you know you want to imrpov checkps support for
non-linux operating systems. (Hopefully at least one of these system makes the
next release.)

Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

  By Date           By Thread  

Current thread:
  • checpks non-explooitiable buffer overrun Duncan Simpson (May 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]