Falha de buffer overflow(local) no ppp, presente em variações BSD (inclusive
no release fbsd 7.0).
Anexado como fazê-lo, e como "fixa-lo".
Ps.: Desculpe se não for permitido anexos.
Sds,
Breno BF
--- Begin Message ---
/***********************************************************************************/
/*** pppx.conf - Point to Point Protocol (a.k.a. user-ppp) exploit by
sipher ***/
/*** 2003 / 12 /23 - PRIVATE CODE
***/
/*** Program terminated with signal 11, Segmentation fault.
***/
/*** #0 0xbeefdead in ?? ()
***/
/***********************************************************************************/
I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also
works on OpenBSD (unconfirmed on 4.2)
Steps to reproduce:
1. Run ppp
2. type the following (or atleat some variation of)
~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This will produce a segmentation violation (Core dumped).
Discovered by: sipher
Shouts: princess^pookie,spithash,burnout,#codemasters,[EMAIL PROTECTED]
--- End Message ---
--- Begin Message ---
Good day.
Fri, Feb 29, 2008 at 04:39:03PM -0000, [EMAIL PROTECTED] wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also
> works on OpenBSD (unconfirmed on 4.2)
>
> Steps to reproduce:
>
> 1. Run ppp
>
> 2. type the following (or atleat some variation of)
>
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> This will produce a segmentation violation (Core dumped).
Yes, good catch: looks like stack-based buffer overflow. Also works
on FreeBSD 7.0. Could you please test the following rough patch --
it seem to cure the situation. Although it is a bit late for
today and I will recheck it more carefully tomorrow.
diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
from++;
while (*from != '\0') {
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
switch (*from) {
case '"':
instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
*to++ = '\\'; /* Pass the escapes on, maybe skipping \# */
break;
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
*to++ = *from++;
break;
case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
*ptr++ = *from;
*ptr = '\0';
}
+ if (to >= endto) {
+ *endto = '\0';
+ return from;
+ }
if (*to == '\0')
*to++ = '$';
else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
if (len == 0)
pwd = getpwuid(ID0realuid());
else {
+ if (to + len >= endto) {
+ *to = '\0';
+ return from;
+ }
strncpy(to, from, len);
to[len] = '\0';
pwd = getpwnam(to);
Thank you!
--
Eygene
--- End Message ---
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
