OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Stack Overflow Vulnerability in procps's top
From: Ben Lull (benVALLEYLOCAL.COM)
Date: Wed Aug 16 2000 - 00:24:31 CDT

Description:

            The utility top, included with the procps package in
Slackware Linux, contains multiple buffer
            overruns. Although the top utility is not sXid by default,
it is still a problem. Through security comes
            stability, and by creating secure applications, you will in
turn, create stable applications. The overflows
            occur in two different places. When a call to strcpy() is
made, it copies the environmental variable
            HOME into the buffer rcfile[1024] without bounds checking.

Reproduction:

            Included with this post is proof of concept code (topoff.c)
for Slackware Linux 7.0.0 and 7.1.0. Simply
            remove the comment in front of '#define RET' for the version
of Slackware which you are testing and
            compile. When run, the result will be a execve()'ed
/bin/sh. You can also verify that your version of top
            is vulnerable by setting the environment HOME to a string
greater then 1023 bytes.

Solution:

            A patch for the most current version of procps
(procps-2.0.6) is attached to this post. Obtain
            procps-2.0.6 from any Slackware distribution site under the
source/a/procps/ directory. Unpack
            procps-2.0.6.tar.gz and apply the included patch
(procps-2.0.6.patch).

Credits:

            I'd like to actually say thank you to my boss for not
getting on my case when I stray from my work to
            play with things such as this.

Notes:
            For reference, you can see all previous posts at
http://www.skunkware.org/security/advisories/

- Ben

************************
* Ben Lull *
* Valley Local Internet, Inc *
* Systems Administrator *
************************