OpenServer 5.0.6 sadc also causes core dump... -KF VISC Network wrote: > > I just did a quick look at sadc source code included in sysstat-3.3.5 > package (RH 7.1). > > /* sadc.c */ > 1214: char ofile[MAX_FILE_LEN]; > > ... > > 1320: /* Write data to file */ > 1321: strcpy(ofile, argv[opt]); > .. > // EOF > > [redragon@redhat sysstat-3.3.5]$ grep MAX_FILE_LEN *.h > common.h:#define MAX_FILE_LEN 256 > > The space reserved in the stack for 'ofile' is 256bytes. So when running > the program with an argument longer than 256 characters, the data overflows > the buffer. > > It's easy to write an exp for this bug. But no file in sysstat package has > suid .. ehe ;-D > > Further, not only sadc, there are similar bugs in sysstat package, Ex : sar > -f `perl -e 'print "A" x 300'` > > [redragon@redhat sysstat-3.3.5]$ grep strcpy *.c > iostat.c: strcpy(disk_hdr_stats[part_nr++].name, part_hdr.name); > sadc.c: strcpy(st_net_dev_i->interface, "?"); > sadc.c: strcpy(ofile, argv[opt]); > sadc.c: strcpy(ofile, new_ofile); > sar.c: strcpy(args[i], ltemp); > sar.c: strcpy(to_file, argv[opt++]); > sar.c: strcpy(to_file, "-"); > sar.c: strcpy(from_file, argv[opt++]); > sar.c: strcpy(time_stamp, argv[opt++]); > sar.c: strcpy(time_stamp, DEF_TMSTART); > sar.c: strcpy(time_stamp, argv[opt++]); > sar.c: strcpy(time_stamp, DEF_TMEND); > sar.c: strcpy(ltemp, K_SELF); > sar.c: strcpy(ltemp, "1"); > > The author of systat was notified on this bug. > Lastest version of systat (4.0.2) is buggy also > > ReDragon > ------------------------------------------------------ > Email: redragon at vnSecurity.net > http://www.vnSecurity.net > > "smackenz" <smackenzat_private> wrote : > >Bug with Command:: sadc > >Located:: /usr/lib/sa/sadc > >Date: Mon Dec 3 21:01:19 GMT 2001 > >Program: sadc (/usr/lib/sa/sadc) > >Problem: Segmentation fault > >DESCRIPTION (from man) > > The sadc command samples system data a specified number of > > times ( count ) at a specified interval measured in sec > > onds ( interval ). > > The sadc command is intended to be used as a backend to > > the sar command. > > The proc filesystem must be mounted for the sadc command to work. > > /var/log/sa/sadd --> daily report file. > > > >I don't know much about this command except it is run with system level > >privileges by executing /usr/lib/sa/sadc [if you have it on your system]. > >I'm not sure if this command is occasionally run by root from a default > >install (i.e redhat 7.1) since I have had not time at all to look into it. > >If anyone knows more about the system usage of this program, there > >comments would be greatly appreciated. > >See below for shell examples. > >----------------------------------------------- > >[smackenz@mainframe smackenz]$ id > >uid=1001(smackenz) gid=1001(smackenz) groups=1001(smackenz) > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc Cannot open > >/var/log/sa/sa03: Permission denied > ><log files.....> > >smackenz@mainframe smackenz]$ ps aux |grep sadc > >smackenz 1608 0.0 0.2 1732 592 pts/1 R 21:14 0:00 grep sadc > ><not running at all....> > >Following this as user 'smackenz' I carried out the following commands: > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 200'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 210'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 220'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 230'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 240'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 250'` > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 260'` > >Cannot open > >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: > >File name too long > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 270'` > >Cannot open > >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: > >File name too long > >etc.... until > >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 290'` > >Segmentation fault (core dumped) > >------------------------------------------------------- > >Later > >Scott.
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 09:32:52 PST