[DER ADV#8] - Local off by one in CVSD

From: david evlis reign (davidreignat_private)
Date: Sat May 25 2002 - 01:08:55 PDT

Next message: david evlis reign: "addition: CVS off by one"

Previous message: lok lok: "XSS And Headers..."
Next in thread: Larry Jones: "Re: [DER ADV#8] - Local off by one in CVSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Local off by one overflow in CVSD.

intro:
the family of scanf functions (scanf, sscanf, fscanf) are generally insecure 
in usage and steps have been taken to make them more...secure you might say 
like adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int)) but the 
function still remains quite insecure, to a lesser known bug like an off by 
one.

WRONG:
char buf[10];
int i;
sscanf(hey, "%.10s", buf); <-- boundary checks ten bytes...

RIGHT:
char buf[10];
int i;
sscanf(hey, "%.9s" buf); <-- see!

therefore in the first example (WRONG) the last byte into buf will exeed the 
allocated space (10 bytes) by one byte. woops. 
(http://www.hert.org/papers/klog-1.html <-- nice article)

details:

in cvs-1.11/src/rcs.c:
info = findnode (vers->other_delta, "special");
	if (info != NULL)
	{
	    /* If the size of `devtype' changes, fix the sscanf call also */
	    char devtype[16]; <-- SIXTEEN BYTES

	    if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15
			devtype, &devnum_long) < 2)
		error (1, 0, "%s:%s has bad `special' newphrase %s",
		       workfile, vers->version, info->data);
	    devnum = devnum_long;
	    if (STREQ (devtype, "character"))
		special_file = S_IFCHR;
	    else if (STREQ (devtype, "block"))
		special_file = S_IFBLK;
	    else
		error (0, 0, "%s is a special file of unsupported type `%s'",
		       workfile, info->data);
	}
    }

this is only a locally exploitable hole since the data is read from 
info->data which in turn is from a symlinked local file (heh, you know where 
to find it);

we at der sys have created the following patch:

__END_OF_PATCH;

##########################
#DER PATCH FOR CVS < 1.11#
##########################

--- rcs_old.c	Mon Jan 25 02:05:16 2002
+++ rcs.c	Mon Jan 25 02:05:40 2002

--- 4238:       if (sscanf (info->data, "%16s %lu",
+++ 4238:       if (sscanf (info->data, "%.15s %lu",
		devtype, &devnum_long) < 2)
		error (1, 0, "%s:%s has bad `special' newphrase %s",
		workfile, vers->version, info->data);

__END_OF_PATCH;

vendor notification: nope.


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Next message: david evlis reign: "addition: CVS off by one"
Previous message: lok lok: "XSS And Headers..."
Next in thread: Larry Jones: "Re: [DER ADV#8] - Local off by one in CVSD"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 25 2002 - 10:46:35 PDT