102534 2003-05-24  19:09  /41 rader/ Ktha <ktha@hushmail.com>
Importerad: 2003-05-24  19:09  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5007>
Ärende: uml_net bug
------------------------------------------------------------


There is a vulnerability in uml_net. The latest version is vulnerable
too.  The problem is the lack of bounds checking in uml_net.c from
uml_utilities, A possible attack could lead to root compromise on
some systems since for  example uml_net comes suided root in RH 8.0
by default.

Let's look over the code:

*	int n = 3, v;

we observe how "v" is declared, as a signed integer.  with a little
bit of "luck" will end up here, knowing that "v" will get  the value
of the first parameter (an integer) given to the program:

*	if(v > CURRENT_VERSION)

so... if "v" is smaller than 0, the test will be passed but "v" will
not  be between 0 and CURRENT_VERSION as the author would expected
to.  after some tests on the second parameter of the program... we
should  arrive to this code:

*	if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);

here it is called the function located at handlers[v]. by suplying a
large  negative integer for "v", handlers[v] can point to the stack
which can be  controlled by the user. so, the program can be fooled
to call a user  controlled "function".  since the root privileges are
not dropped till this point... the user code  will be executed with
super-user privileges.



Suggested patch: uml_net.c

    - if(v > CURRENT_VERSION){
    + if ((v > CURRENT_VERSION) || (v < 0)) {

Contact: ktha@hushmail.com
(102534) /Ktha <ktha@hushmail.com>/-------(Ombruten)