|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: local root on linux 2.2.15
From: Peter da Silva (peter
SCARYDEVIL.ORG)Date: Thu Jun 15 2000 - 10:44:07 CDT
- Next message: W. Craig Trader: "Re: Microsoft Access Trojan VBA: The overlooked "macro virus""
- Previous message: Jim Rosenberg: "Vulnerabilities in Norton Antivirus for Exchange"
- In reply to: Tollef Fog Heen: "Re: local root on linux 2.2.15"
- Next in thread: Firstname Lastname: "Re: local root on linux 2.2.15"
- Next in thread: der Mouse: "Re: local root on linux 2.2.15"
- Reply: Peter da Silva: "Re: local root on linux 2.2.15"
- Reply: Firstname Lastname: "Re: local root on linux 2.2.15"
- Reply: Joseph Gooch: "Re: local root on linux 2.2.15"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In article <87bt184i7z.fsfarabella.intern.opera.no> you write:
> Always check the return value of system calls. Always. Always.
> Always.
[...]
> cap_user_header_t header;
> cap_user_data_t data;
> header = malloc(8);
> data = malloc(12);
> header->pid = 0;
> header->version = _LINUX_CAPABILITY_VERSION;
> data->inheritable = data->effective = data->permitted = 0;
Two bugs here:
1. If sizeof(cap_user_header_t) or sizeof(cap_user_data_t)
increases, you'll get a buffer overflow in the malloc()ed
data. This isn't as bad as a buffer overflow on stack,
because it's almost impossible to exploit for anything but
a DOS attack, but it's easy to avoid:
header = malloc(sizeof (cap_user_header_t) );
data = malloc(sizeof (cap_user_data_t) );
2. Ironically, you're not checking the return value of a system
call, namely brk() or sbrk() (or maybe mmap(), depending on
how they're implementing malloc() in Lunix these days). Before
using header or data, check that malloc() succeeded.
if(! (header = malloc(sizeof (cap_user_header_t) ) ) ) {
perror("malloc: header");
return or exit();
}
if(! (data = malloc(sizeof (cap_user_data_t) ) ) ) {
perror("malloc: data");
return or exit();
}
> capset(header, data);
I don't have a recent Linux box to check, but isn't this a system call?
If this fails, what happens? In the sample code, nothing bad... but if
you don't get in the habit of automatically writing robust code you're
going to be reading one of these alerts some day with your name on it...
as the victim.
(and if I missed something in the code above, go ahead and stamp all over
my face, I know I've shipped broken code broken in the past... they say
there's no saint like a converted sinner)
- Next message: W. Craig Trader: "Re: Microsoft Access Trojan VBA: The overlooked "macro virus""
- Previous message: Jim Rosenberg: "Vulnerabilities in Norton Antivirus for Exchange"
- In reply to: Tollef Fog Heen: "Re: local root on linux 2.2.15"
- Next in thread: Firstname Lastname: "Re: local root on linux 2.2.15"
- Next in thread: der Mouse: "Re: local root on linux 2.2.15"
- Reply: Peter da Silva: "Re: local root on linux 2.2.15"
- Reply: Firstname Lastname: "Re: local root on linux 2.2.15"
- Reply: Joseph Gooch: "Re: local root on linux 2.2.15"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]