Date: Sun, 2 Mar 2008 02:06:34 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: sipherr@gmail.com Cc: freebsd-security@freebsd.org, vuln-dev@securityfocus.com Subject: Re: *BSD user-ppp local root (when conditions permit) Message-ID: <eJwztaR4hgj0LBOZtN1f3kC2qd8@49l6neKHPg6j4SHeejH198Klzys> Resent-Message-ID: <hztXv7tL7cogjuoaKVM3hjwoMIM@anT1rBJxFFmtDIxMAcBOkF9Caq8> In-Reply-To: <20080229163903.3680.qmail@securityfocus.com> References: <20080229163903.3680.qmail@securityfocus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Good day.
[Reposting this message to the freebsd-security from my subscribed address.
Sorry for possible duplicates.]
Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
>
> Steps to reproduce:
>
> 1. Run ppp
>
> 2. type the following (or atleat some variation of)
>
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> This will produce a segmentation violation (Core dumped).
Yes, good catch: looks like stack-based buffer overflow. Also works
on FreeBSD 7.0. Could you please test the following rough patch --
it seem to cure the situation. Although it is a bit late for
today and I will recheck it more carefully tomorrow.
diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
from++;
while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
switch (*from) {
case '"':
instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
*to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
break;
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
*to++ = *from++;
break;
case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
*ptr++ = *from;
*ptr = '\0';
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
if (*to == '\0')
*to++ = '$';
else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
if (len == 0)
pwd = getpwuid(ID0realuid());
else {
+ if (to + len >= endto) {
+ *to = '\0';
+ return from;
+ }
strncpy(to, from, len);
to[len] = '\0';
pwd = getpwnam(to);
Thank you!
--
Eygene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?eJwztaR4hgj0LBOZtN1f3kC2qd8>