Re: sadc Segmentation Fault

From: KF (dotslashat_private)
Date: Fri Dec 07 2001 - 08:27:17 PST

Next message: zeno: "Re: Are NULL pointer deref a security problem ?"

Previous message: Sam Ferrell: "Re: Possible DoS attack against Sun Ray Servers?"
In reply to: VISC Network: "Re: sadc Segmentation Fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OpenServer 5.0.6 sadc also causes core dump... 
-KF

VISC Network wrote:
> 
> I just did a quick look at sadc source code included in sysstat-3.3.5
> package (RH 7.1).
> 
> /* sadc.c */
>     1214:    char ofile[MAX_FILE_LEN];
> 
> ...
> 
>     1320:                /* Write data to file */
>     1321:                strcpy(ofile, argv[opt]);
> ..
> // EOF
> 
> [redragon@redhat sysstat-3.3.5]$ grep MAX_FILE_LEN *.h
> common.h:#define MAX_FILE_LEN   256
> 
> The space reserved in the stack for 'ofile'  is 256bytes. So when running
> the program with an argument longer than 256 characters, the data overflows
> the buffer.
> 
> It's easy to write an exp for this bug. But no file in sysstat package has
> suid .. ehe ;-D
> 
> Further, not only sadc, there are similar bugs in sysstat package, Ex : sar
> -f `perl -e 'print "A" x 300'`
> 
> [redragon@redhat sysstat-3.3.5]$ grep strcpy *.c
> iostat.c:           strcpy(disk_hdr_stats[part_nr++].name, part_hdr.name);
> sadc.c:      strcpy(st_net_dev_i->interface, "?");
> sadc.c:        strcpy(ofile, argv[opt]);
> sadc.c:     strcpy(ofile, new_ofile);
> sar.c:   strcpy(args[i], ltemp);
> sar.c:      strcpy(to_file, argv[opt++]);
> sar.c:      strcpy(to_file, "-");
> sar.c:      strcpy(from_file, argv[opt++]);
> sar.c:      strcpy(time_stamp, argv[opt++]);
> sar.c:      strcpy(time_stamp, DEF_TMSTART);
> sar.c:      strcpy(time_stamp, argv[opt++]);
> sar.c:      strcpy(time_stamp, DEF_TMEND);
> sar.c:         strcpy(ltemp, K_SELF);
> sar.c:      strcpy(ltemp, "1");
> 
> The author of systat was notified on this bug.
> Lastest version of systat (4.0.2) is buggy also
> 
> ReDragon
> ------------------------------------------------------
> Email: redragon at vnSecurity.net
> http://www.vnSecurity.net
> 
> "smackenz" <smackenzat_private> wrote :
> >Bug with Command::              sadc
> >Located::                       /usr/lib/sa/sadc
> >Date:           Mon Dec  3 21:01:19 GMT 2001
> >Program:        sadc  (/usr/lib/sa/sadc)
> >Problem:        Segmentation fault
> >DESCRIPTION (from man)
> >        The sadc command samples system data a specified number of
> >        times  (  count ) at a specified interval measured in sec
> >        onds ( interval ).
> >        The sadc command is intended to be used as  a  backend  to
> >        the sar command.
> >        The proc filesystem must be mounted for the sadc command to work.
> >        /var/log/sa/sadd  -->  daily report file.
> >
> >I don't know much about this command except it is run with system level
> >privileges by executing /usr/lib/sa/sadc [if you have it on your system].
> >I'm not sure if this command is occasionally run by root from a default
> >install (i.e redhat 7.1) since I have had not time at all to look into it.
> >If anyone knows more about the system usage of this program, there
> >comments would be greatly appreciated.
> >See below for shell examples.
> >-----------------------------------------------
> >[smackenz@mainframe smackenz]$ id
> >uid=1001(smackenz) gid=1001(smackenz) groups=1001(smackenz)
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc Cannot open
> >/var/log/sa/sa03: Permission denied
> ><log files.....>
> >smackenz@mainframe smackenz]$ ps aux |grep sadc
> >smackenz  1608  0.0  0.2  1732  592 pts/1    R    21:14   0:00   grep sadc
> ><not running at all....>
> >Following this as user 'smackenz' I carried out the following commands:
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 200'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 210'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 220'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 230'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 240'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 250'`
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 260'`
> >Cannot open
> >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
> >File name too long
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 270'`
> >Cannot open
> >AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
> >File name too long
> >etc.... until
> >[smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 290'`
> >Segmentation fault (core dumped)
> >-------------------------------------------------------
> >Later
> >Scott.

Next message: zeno: "Re: Are NULL pointer deref a security problem ?"
Previous message: Sam Ferrell: "Re: Possible DoS attack against Sun Ray Servers?"
In reply to: VISC Network: "Re: sadc Segmentation Fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 09:32:52 PST