PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability

From: yan feng (jskat_private)
Date: Sat Aug 09 2003 - 18:12:27 PDT

Next message: Lorenzo Hernandez Garcia-Hierro: "PostNuke Downloads & Web_Links ttitle variable XSS"

Previous message: nimber: "Buffer Overflow in NetSurf 3.02"
Next in thread: Vade 79: "Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Reply: Vade 79: "Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ======================================== Ph4nt0m Security Advisory #2003--8-10 ======================================== Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability By "jsk" (akun), in ph4nt0m.net(c) Security. E-mail: jskat_private Advisory Number : pst-2003--8-10-004 name : dsh versions : 0.24.0 possible in 0.24.1 Vendor : http://fresh.t-systems-sfr.com/linux/src/dsh- 0.24.0.tar.gz summary : Local&remote os(s) : *nix *************************************************************************** ** Description : the bug should be in debian os，Successful exploitation could result in arbitrary code execution with potentially elevated privileges. *************************************************************************** ** 具体漏洞： *************************************************************************** ** dsh.c main(int ac, char ** av) { char *buf=NULL; setlocale (LC_ALL, ""); if (!textdomain(PACKAGE_NAME)) { if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR)) fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE); } load_configfile(DSH_CONF); if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) < 0).............lol { fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE); exit (1); } load_configfile(buf); free (buf); asprintf的定义： nt asprintf(char **strp, const char *fmt, ...) { ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number */.............lol *strp = malloc(buflen); if (*strp) { va_list ap; va_start(ap, fmt); vsnprintf(*strp, buflen, fmt, ap);..................................lol va_end(ap); return buflen; } hey: getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow...... *************************************************************************** ********************** By "jsk" (akun), in ph4nt0m.net(c) Security. E-mail:jskat_private ph4nt0m Security Team: http://www.ph4nt0m.net My World: http://jsk.ph4nt0m.net MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc

Next message: Lorenzo Hernandez Garcia-Hierro: "PostNuke Downloads & Web_Links ttitle variable XSS"
Previous message: nimber: "Buffer Overflow in NetSurf 3.02"
Next in thread: Vade 79: "Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Reply: Vade 79: "Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 12:46:02 PDT