Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: sadc Segmentation Fault

Re: sadc Segmentation Fault

From: VISC Network <viscnet_at_yahoo.com>
Date: Fri, 07 Dec 2001 18:22:23 +0700

I just did a quick look at sadc source code included in sysstat-3.3.5
package (RH 7.1).

/* sadc.c */
    1214: char ofile[MAX_FILE_LEN];

...

    1320: /* Write data to file */
    1321: strcpy(ofile, argv[opt]);
..
// EOF

[redragon_at_redhat sysstat-3.3.5]$ grep MAX_FILE_LEN *.h
common.h:#define MAX_FILE_LEN 256

The space reserved in the stack for 'ofile' is 256bytes. So when running
the program with an argument longer than 256 characters, the data overflows
the buffer.

It's easy to write an exp for this bug. But no file in sysstat package has
suid .. ehe ;-D

Further, not only sadc, there are similar bugs in sysstat package, Ex : sar
-f `perl -e 'print "A" x 300'`

[redragon_at_redhat sysstat-3.3.5]$ grep strcpy *.c
iostat.c: strcpy(disk_hdr_stats[part_nr++].name, part_hdr.name);
sadc.c: strcpy(st_net_dev_i->interface, "?");
sadc.c: strcpy(ofile, argv[opt]);
sadc.c: strcpy(ofile, new_ofile);
sar.c: strcpy(args[i], ltemp);
sar.c: strcpy(to_file, argv[opt++]);
sar.c: strcpy(to_file, "-");
sar.c: strcpy(from_file, argv[opt++]);
sar.c: strcpy(time_stamp, argv[opt++]);
sar.c: strcpy(time_stamp, DEF_TMSTART);
sar.c: strcpy(time_stamp, argv[opt++]);
sar.c: strcpy(time_stamp, DEF_TMEND);
sar.c: strcpy(ltemp, K_SELF);
sar.c: strcpy(ltemp, "1");

The author of systat was notified on this bug.
Lastest version of systat (4.0.2) is buggy also

ReDragon
------------------------------------------------------
Email: redragon at vnSecurity.net
http://www.vnSecurity.net

"smackenz" <smackenz_at_brad.ac.uk> wrote :
>Bug with Command:: sadc
>Located:: /usr/lib/sa/sadc
>Date: Mon Dec 3 21:01:19 GMT 2001
>Program: sadc (/usr/lib/sa/sadc)
>Problem: Segmentation fault
>DESCRIPTION (from man)
> The sadc command samples system data a specified number of
> times ( count ) at a specified interval measured in sec
> onds ( interval ).
> The sadc command is intended to be used as a backend to
> the sar command.
> The proc filesystem must be mounted for the sadc command to work.
> /var/log/sa/sadd --> daily report file.
>
>I don't know much about this command except it is run with system level
>privileges by executing /usr/lib/sa/sadc [if you have it on your system].
>I'm not sure if this command is occasionally run by root from a default
>install (i.e redhat 7.1) since I have had not time at all to look into it.
>If anyone knows more about the system usage of this program, there
>comments would be greatly appreciated.
>See below for shell examples.
>-----------------------------------------------
>[smackenz_at_mainframe smackenz]$ id
>uid=1001(smackenz) gid=1001(smackenz) groups=1001(smackenz)
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc Cannot open
>/var/log/sa/sa03: Permission denied
><log files.....>
>smackenz_at_mainframe smackenz]$ ps aux |grep sadc
>smackenz 1608 0.0 0.2 1732 592 pts/1 R 21:14 0:00 grep sadc
><not running at all....>
>Following this as user 'smackenz' I carried out the following commands:
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 200'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 210'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 220'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 230'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 240'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 250'`
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 260'`
>Cannot open
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
>File name too long
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 270'`
>Cannot open
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
>File name too long
>etc.... until
>[smackenz_at_mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 290'`
>Segmentation fault (core dumped)
>-------------------------------------------------------
>Later
>Scott.
Received on Dec 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos