4397331 1999-10-16  03:12  /38 rader/ Postmaster
Mottagare: Bugtraq (import) <8197>
Ärende: execve bug linux-2.2.12
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.org
Message-ID:  <199910160007.RAA04857@trill.valinux.com>
Date:         Fri, 15 Oct 1999 17:07:10 -0700
Reply-To: ben@VALINUX.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: ben@VALINUX.COM
X-To:         bugtraq@securityfocus.org
To: BUGTRAQ@SECURITYFOCUS.COM

While doing some debugging, I discovered a really nasty stack smash
bug in linux-2.2.12. The I haven't checked previous versions of the
2.2 kernel but bug appears to be fixed in linux-2.2.13pre17.

If I am reading this correctly, the implications of this bug could be
very dire. It may be possible to easily obtain root privilege on any
box running this kernel.

Basically the problem is that the execve system call checks that argv
is a valid pointer but it doesn't check that all of the pointers in
argv array are valid pointers. If you pass bad pointers into the
execve system call you can corrupt the processes stack before it
returns to user space. Then when the kernel hands off the process to
the elf loader code and which begins to setup the processes it can be
made to execute some malicious code in place of the program's main
function.

This is particularly scary because all of this occurs BEFORE the
program begins executing its main function and AFTER the program
returns to user space with privilege. Therefore no matter how well
audited the program may be it can be used as to gain privilege.

The thing that tipped me off to the problem was that a program that I
exec'd was getting killed with SIGSEGV in __libc_start_main before my
main function began running.

-ben
(4397331) -----------------------------------