Re: *BSD user-ppp local root (when conditions permit)
Good day.
Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr@gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
>
> Steps to reproduce:
>
> 1. Run ppp
>
> 2. type the following (or atleat some variation of)
>
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> This will produce a segmentation violation (Core dumped).
Yes, good catch: looks like stack-based buffer overflow. Also works
on FreeBSD 7.0. Could you please test the following rough patch --
it seem to cure the situation. Although it is a bit late for
today and I will recheck it more carefully tomorrow.
diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
from++;
while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
switch (*from) {
case '"':
instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
*to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
break;
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
*to++ = *from++;
break;
case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
*ptr++ = *from;
*ptr = '\0';
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
if (*to == '\0')
*to++ = '$';
else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
if (len == 0)
pwd = getpwuid(ID0realuid());
else {
+ if (to + len >= endto) {
+ *to = '\0';
+ return from;
+ }
strncpy(to, from, len);
to[len] = '\0';
pwd = getpwnam(to);
Thank you!
--
Eygene
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 6 篇):