Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SUID wrapper (was Re: (fwd) Re: Format String Attacks)
From: Drazen Kacar <dave () SRCE HR>
Date: Fri, 15 Sep 2000 08:31:11 +0200

Granquist, Lamont wrote:
Instead of reinventing the wheel:

http://cegt201.bradley.edu/~im14u2c/wrapper/

That is Joe Zbiciak's suid wrapper which has been around for 3+ years.

Umm... The first function in the source is:

#include <ctype.h>

static inline
int word_wrap(char * s, int len)
{
        int i,j;

        for (i=j=0; *s && i<len; s++,i++)
                if (isspace(*s)) j=i;

        if (j==0 || !*s) j=i-1;

        return j;
}

One shouldn't call isspace() and friends with char pointer as an argument.
You're going to get strange results if some character is greater than 127.
And I don't know what happens in locales which don't use single byte
encoding.

I'm not saying it's exploitable, but I don't have trust in correct operation
of programs which do this kind of thing. And this is even supposed to be
setuid program.

--
 .-.   .-.    I don't work for my employer.
(_  \ /  _)
     |        dave () srce hr
     |        dave () fly srk fer hr


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]