Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: *BSD user-ppp local root (when conditions permit)

Re: *BSD user-ppp local root (when conditions permit)

From: Eygene Ryabinkin <rea-sec_at_codelabs.ru>
Date: Sun, 2 Mar 2008 02:06:34 +0300

Good day.

Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr_at_gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
>
> Steps to reproduce:
>
> 1. Run ppp
>
> 2. type the following (or atleat some variation of)
>
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> This will produce a segmentation violation (Core dumped).

Yes, good catch: looks like stack-based buffer overflow. Also works
on FreeBSD 7.0. Could you please test the following rough patch --
it seem to cure the situation. Although it is a bit late for
today and I will recheck it more carefully tomorrow.

diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
     from++;
 
   while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
     switch (*from) {
       case '"':
         instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
             *to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
             break;
         }
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
         *to++ = *from++;
         break;
       case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
             *ptr++ = *from;
           *ptr = '\0';
         }
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
         if (*to == '\0')
           *to++ = '$';
         else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
         if (len == 0)
           pwd = getpwuid(ID0realuid());
         else {
+ if (to + len >= endto) {
+ *to = '\0';
+ return from;
+ }
           strncpy(to, from, len);
           to[len] = '\0';
           pwd = getpwnam(to);

Thank you! 

-- 
Eygene
Received on Mar 03 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos