('binary' encoding is not supported, stored as-is) There is a vulnerability in uml_net. The latest version is vulnerable too. The problem is the lack of bounds checking in uml_net.c from uml_utilities, A possible attack could lead to root compromise on some systems since for example uml_net comes suided root in RH 8.0 by default. Let's look over the code: * int n = 3, v; we observe how "v" is declared, as a signed integer. with a little bit of "luck" will end up here, knowing that "v" will get the value of the first parameter (an integer) given to the program: * if(v > CURRENT_VERSION) so... if "v" is smaller than 0, the test will be passed but "v" will not be between 0 and CURRENT_VERSION as the author would expected to. after some tests on the second parameter of the program... we should arrive to this code: * if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]); here it is called the function located at handlers[v]. by suplying a large negative integer for "v", handlers[v] can point to the stack which can be controlled by the user. so, the program can be fooled to call a user controlled "function". since the root privileges are not dropped till this point... the user code will be executed with super-user privileges. Suggested patch: uml_net.c - if(v > CURRENT_VERSION){ + if ((v > CURRENT_VERSION) || (v < 0)) { Contact: kthaat_private
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 10:09:47 PDT