Re: sadc Segmentation Fault

From: VISC Network (viscnetat_private)
Date: Fri Dec 07 2001 - 03:22:23 PST

Next message: Nicolas Gregoire: "Are NULL pointer deref a security problem ?"

Previous message: Simon Kornblith: "Re: IE Denial of service (sorta)"
Maybe in reply to: smackenz: "sadc Segmentation Fault"
Next in thread: KF: "Re: sadc Segmentation Fault"
Reply: KF: "Re: sadc Segmentation Fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just did a quick look at sadc source code included in sysstat-3.3.5
package (RH 7.1).

/* sadc.c */
    1214:    char ofile[MAX_FILE_LEN];

...

    1320:                /* Write data to file */
    1321:                strcpy(ofile, argv[opt]);
..
// EOF

[redragon@redhat sysstat-3.3.5]$ grep MAX_FILE_LEN *.h
common.h:#define MAX_FILE_LEN   256

The space reserved in the stack for 'ofile'  is 256bytes. So when running
the program with an argument longer than 256 characters, the data overflows
the buffer.

It's easy to write an exp for this bug. But no file in sysstat package has
suid .. ehe ;-D

Further, not only sadc, there are similar bugs in sysstat package, Ex : sar
-f `perl -e 'print "A" x 300'`

[redragon@redhat sysstat-3.3.5]$ grep strcpy *.c
iostat.c:           strcpy(disk_hdr_stats[part_nr++].name, part_hdr.name);
sadc.c:      strcpy(st_net_dev_i->interface, "?");
sadc.c:        strcpy(ofile, argv[opt]);
sadc.c:     strcpy(ofile, new_ofile);
sar.c:   strcpy(args[i], ltemp);
sar.c:      strcpy(to_file, argv[opt++]);
sar.c:      strcpy(to_file, "-");
sar.c:      strcpy(from_file, argv[opt++]);
sar.c:      strcpy(time_stamp, argv[opt++]);
sar.c:      strcpy(time_stamp, DEF_TMSTART);
sar.c:      strcpy(time_stamp, argv[opt++]);
sar.c:      strcpy(time_stamp, DEF_TMEND);
sar.c:         strcpy(ltemp, K_SELF);
sar.c:      strcpy(ltemp, "1");

The author of systat was notified on this bug.
Lastest version of systat (4.0.2) is buggy also

ReDragon
------------------------------------------------------
Email: redragon at vnSecurity.net
http://www.vnSecurity.net


"smackenz" <smackenzat_private> wrote :
>Bug with Command::              sadc
>Located::                       /usr/lib/sa/sadc
>Date:           Mon Dec  3 21:01:19 GMT 2001
>Program:        sadc  (/usr/lib/sa/sadc)
>Problem:        Segmentation fault
>DESCRIPTION (from man)
>        The sadc command samples system data a specified number of
>        times  (  count ) at a specified interval measured in sec
>        onds ( interval ).
>        The sadc command is intended to be used as  a  backend  to
>        the sar command.
>        The proc filesystem must be mounted for the sadc command to work.
>        /var/log/sa/sadd  -->  daily report file.
>
>I don't know much about this command except it is run with system level
>privileges by executing /usr/lib/sa/sadc [if you have it on your system].
>I'm not sure if this command is occasionally run by root from a default
>install (i.e redhat 7.1) since I have had not time at all to look into it.
>If anyone knows more about the system usage of this program, there
>comments would be greatly appreciated.
>See below for shell examples.
>-----------------------------------------------
>[smackenz@mainframe smackenz]$ id
>uid=1001(smackenz) gid=1001(smackenz) groups=1001(smackenz)
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc Cannot open
>/var/log/sa/sa03: Permission denied
><log files.....>
>smackenz@mainframe smackenz]$ ps aux |grep sadc
>smackenz  1608  0.0  0.2  1732  592 pts/1    R    21:14   0:00   grep sadc
><not running at all....>
>Following this as user 'smackenz' I carried out the following commands:
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 200'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 210'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 220'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 230'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 240'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 250'`
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 260'`
>Cannot open
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
>File name too long
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 270'`
>Cannot open
>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
>File name too long
>etc.... until
>[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 290'`
>Segmentation fault (core dumped)
>-------------------------------------------------------
>Later
>Scott.

Next message: Nicolas Gregoire: "Are NULL pointer deref a security problem ?"
Previous message: Simon Kornblith: "Re: IE Denial of service (sorta)"
Maybe in reply to: smackenz: "sadc Segmentation Fault"
Next in thread: KF: "Re: sadc Segmentation Fault"
Reply: KF: "Re: sadc Segmentation Fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 08:16:49 PST