OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: execve bug linux-2.2.12

Re: execve bug linux-2.2.12

Matt Chapman (mattyCIFS.ORG)
Tue, 19 Oct 1999 04:06:29 +1000

On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:
>
> I would certainly be interested in an example that caused this.

#include <unistd.h>
#include <errno.h>

#define BADPTR (char *)0x10 /* for example */

int main(int argc, char **argv, char **envp)
{
        char *args[7];
        int i;

        args[0] = "su";
        for (i = 1; i < 6; i++) {
                args[i] = BADPTR;
        }
        args[6] = NULL;

        execve("/bin/su", args, envp);

        printf("%s\n", strerror(errno));
        return 1;
}

This program (on my system at least 5 bad arguments are needed) reproducibly
dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36
correctly reports EFAULT.

This would not normally be a problem, however... the above program will not
dump core for an ordinary user, only root, which makes me believe that the
fault occurs after the process has gained the root euid from /bin/su.

A gdb trace suggests the usual heap corruption in glibc, which does not
seem to be related to the arguments passed to execve (as long as they
are bad), so I doubt this is exploitable. However it is most likely a bug
somewhere.

        Matt 

--
Matthew "Austin" Chapman
SysAdmin, Developer, Samba Team Member

This archive was generated by hypermail 2.0b3 on Tue Oct 19 1999 - 14:09:45 CDT