109291 2003-08-11 21:45 /88 rader/ yan feng <jsk@ph4nt0m.net>
Importerad: 2003-08-11 21:45 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5966>
Ärende: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability
------------------------------------------------------------
========================================
Ph4nt0m Security Advisory #2003--8-10
========================================
Dsh-0.24.0 in debian has a home env Buffer Overflow
Vulnerability
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail: jsk@ph4nt0m.net
Advisory Number : pst-2003--8-10-004
name : dsh
versions : 0.24.0 possible in 0.24.1
Vendor : http://fresh.t-systems-sfr.com/linux/src/dsh-
0.24.0.tar.gz
summary : Local&remote
os(s) : *nix
***************************************************************************
** Description : the bug should be in debian os,Successful
exploitation could
result in arbitrary code execution with potentially elevated
privileges.
***************************************************************************
** 具体漏洞:
***************************************************************************
**
dsh.c
main(int ac, char ** av)
{
char *buf=NULL;
setlocale (LC_ALL, "");
if (!textdomain(PACKAGE_NAME))
{
if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR))
fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE);
}
load_configfile(DSH_CONF);
if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) <
0).............lol
{
fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE);
exit (1);
}
load_configfile(buf);
free (buf);
asprintf的定义:
nt asprintf(char **strp, const char *fmt, ...)
{
ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number
*/.............lol
*strp = malloc(buflen);
if (*strp)
{
va_list ap;
va_start(ap, fmt);
vsnprintf(*strp, buflen, fmt, ap);..................................lol
va_end(ap);
return buflen;
}
hey:
getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow......
***************************************************************************
********************** By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk@ph4nt0m.net ph4nt0m Security Team: http://www.ph4nt0m.net
My World: http://jsk.ph4nt0m.net MY GnuPG Public Key:
http://202.119.104.82/webeq/app/jsk/jsk.asc
(109291) /yan feng <jsk@ph4nt0m.net>/-----(Ombruten)
109806 2003-08-15 03:17 /19 rader/ Vade 79 <v9@fakehalo.deadpig.org>
Importerad: 2003-08-15 03:17 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <6050>
Ärende: Re: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability
------------------------------------------------------------
In-Reply-To: <20030810011227.5888.qmail@www.securityfocus.com>
> ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number
>*/.............lol
> *strp = malloc(buflen);
>
> if (*strp)
> {
> va_list ap;
> va_start(ap, fmt);
> vsnprintf(*strp, buflen, fmt,
ap);..................................lol
>getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow......
how do you figure? it uses the same buflen value to limit the amount
written to the buffer in the vsnprintf call as it was allocated(cept
didn't add space for the null byte)? am i missing something?
(109806) /Vade 79 <v9@fakehalo.deadpig.org>/--------