tcsh buffer overflow

From: Wichert Akkerman (wichertat_private)
Date: Mon Sep 14 1998 - 18:02:24 PDT

Next message: David Luyer: "Dump a mode --x--x--x binary on Linux 2.0.x"

Previous message: Aleph One: "ColdFusion File Upload Exploit (fwd)"
Next in thread: Christos Zoulas: "Re: tcsh buffer overflow"
Reply: Christos Zoulas: "Re: tcsh buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable


After the whole mess with bash recently I decided to take a short look
at tcsh and found it has the same problems. Although tcsh-scripts
are very uncommon, it's still exploitable. Below is a patch which
should fix the problems.

Wichert.


--- tcsh-6.07.06.orig/sh.dir.c
+++ tcsh-6.07.06/sh.dir.c
@@ -78,7 +78,7 @@
     char    path[MAXPATHLEN];
=20
     /* Don't believe the login shell home, because it may be a symlink */
-    tcp =3D (char *) getwd(path);
+    tcp =3D (char *) getcwd(path, MAXPATHLEN);
     if (tcp =3D=3D NULL || *tcp =3D=3D '\0') {
        xprintf("%s: %s\n", progname, path);
        if (hp && *hp) {
@@ -549,7 +549,8 @@
     }
 #endif /* apollo */
           =20
-    (void) strcpy(ebuf, short2str(cp));
+    (void) strncpy(ebuf, short2str(cp), MAXPATHLEN);   // WTA: make sure we =
don't overflow ebuf
+    ebuf[MAXPATHLEN-1]=3D0;
     /*
      * if we are ignoring symlinks, try to fix relatives now.
      * if we are expading symlinks, it should be done by now.
@@ -1061,7 +1062,7 @@
 #endif /* apollo */
                continue;       /* canonicalize the link */
            }
-#endif /* S_IFLNK */
+#endif /* S_IFLNKXYZ */
            if (slash)
                *p =3D '/';
        }
@@ -1096,7 +1097,8 @@
        /*
         * Start comparing dev & ino backwards
         */
-       p2 =3D Strcpy(link, cp);
+       p2 =3D Strncpy(link, cp, MAXPATHLEN); // WTA: remember that length-check!
+       link[MAXPATHLEN-1]=3D0;
        found =3D 0;
        while (*p2 && stat(short2str(p2), &statbuf) !=3D -1) {
            if (DEV_DEV_COMPARE(statbuf.st_dev, home_dev) &&
@@ -1119,7 +1121,7 @@
            cp =3D newcp;
        }
     }
-#endif /* S_IFLNK */
+#endif /* S_IFLNKXYZ */
=20
 #ifdef apollo
     if (slashslash) {
@@ -1255,7 +1257,9 @@
                return (0);
        }
     }
-    (void) Strcpy(s, dp->di_name);
+
+    (void) Strncpy(s, dp->di_name, MAXPATHLEN); // WTA: assume MAXPATHLEN =
is okay
+    s[MAXPATHLEN-1]=3D0;
     return (1);
 }
=20


--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQB1AwUBNf28oKjZR/ntlUftAQFoDgMAgFSP5EMZwglxdpU/SRfTDFL39gXDlA3R
PJo/eZg3/YZbZwlFvHYLAGlWbSY3pxN1pZ+TVBSiLFNMqFHwfHReEcFFMKFcQGuF
R1KOeE/6F8KPpGHc89g3pcIaPPP9N4B0
=eO9d
-----END PGP SIGNATURE-----

--yrj/dFKFPuw6o+aM--

Next message: David Luyer: "Dump a mode --x--x--x binary on Linux 2.0.x"
Previous message: Aleph One: "ColdFusion File Upload Exploit (fwd)"
Next in thread: Christos Zoulas: "Re: tcsh buffer overflow"
Reply: Christos Zoulas: "Re: tcsh buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:18 PDT