OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [ Hackerslab bug_paper ] Linux dump buffer overflow
From: Ronald Huizer (ronaldGRAFIX.NL)
Date: Sat Mar 04 2000 - 12:55:43 CST

>No. getenv() fails because *envp, argc, **argv are AFTER
>pathname[]
>buffer and gets overwritten.

>Of course, it is still exploitable.

It doesn't quite look that way to me.
The overflow takes place after the setuid(getuid()) call has
been made. Which renders execution of shellcode useless to
us.

The first overflow that is encountered in this way is NOT
the strpcy(pathname, disk) but the realpath() function which
expects pathname to be of size MAXPATHLEN instead of a mere
255 bytes. After this the buffer is overflown again by the
strcpy() call.

After patching pathname to be of MAXPATHLEN size the buffer
still gets overflown by the strcpy() function which should
be made to a strncpy() to function properly.

Full patch included (not a a workaround that just chokes in
a \0 at the end of char *disk).

--- main.c.old Fri Jan 21 11:17:41 2000
+++ main.c Sat Mar 4 19:42:13 2000
-119,7 +119,7
 #ifdef __linux__
        errcode_t retval;
        char directory[NAME_MAX];
- char pathname[NAME_MAX];
+ char pathname[MAXPATHLEN];
 #endif
        time_t tnow;
        char labelstr[LBLSIZE];
-363,7 +363,7
 #ifdef HAVE_REALPATH
                if (realpath(disk, pathname) == NULL)
 #endif
- strcpy(pathname, disk);
+ strncpy(pathname, disk, MAXPATHLEN);
                dt = fstabsearchdir(pathname, directory);
                if (dt != NULL) {
                        char name[MAXPATHLEN];

Cheers,

Ronald Huizer - ronaldgrafix.nl