Home page logo

bugtraq logo Bugtraq mailing list archives

uml_net bug
From: Ktha <ktha () hushmail com>
Date: 24 May 2003 01:10:07 -0000

There is a vulnerability in uml_net. The latest version is vulnerable too.
The problem is the lack of bounds checking in uml_net.c from uml_utilities,
A possible attack could lead to root compromise on some systems since for 
example uml_net comes suided root in RH 8.0 by default.

Let's look over the code:

*       int n = 3, v;

we observe how "v" is declared, as a signed integer.
with a little bit of "luck" will end up here, knowing that "v" will get 
the value of the first parameter (an integer) given to the program:

*       if(v > CURRENT_VERSION)

so... if "v" is smaller than 0, the test will be passed but "v" will not 
be between 0 and CURRENT_VERSION as the author would expected to.
after some tests on the second parameter of the program... we should 
arrive to this code:

*       if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);

here it is called the function located at handlers[v]. by suplying a large 
negative integer for "v", handlers[v] can point to the stack which can be 
controlled by the user. so, the program can be fooled  to call a user 
controlled "function". 
since the root privileges are not dropped till this point... the user code 
will be executed with super-user privileges.

Suggested patch: uml_net.c

    - if(v > CURRENT_VERSION){
    + if ((v > CURRENT_VERSION) || (v < 0)) {

Contact: ktha () hushmail com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]