[prev in list] [next in list] [prev in thread] [next in thread]
List: vulnwatch
Subject: [VulnWatch] GOBBLES #10: root hole in (linux) runas
From: Rain Forest Puppy <rfp () vulnwatch ! org>
Date: 2001-11-30 23:49:47
[Download RAW message or body]
GOBBLES (www.bugtraq.org) has released an advisory concerning a format
string vuln in the logging of the runas app available from
http://metagame.org/runas/ (nothing to do with Windows runas). Since only
10% of the advisory deals with the problem, I'm going to include the
appropriate excerpt below; however, those with the bandwidth can
read the full thing online at GOBBLES site:
http://www.bugtraq.org/dev/GOBBLES-10.txt
- rfp
TECHNICAL DETAILS
*****************
bash-2.05$ ./runas -GOBBLES "%s%s%s"
./runas: on /dev/ttyp2 in /usr/home/GOBBLES/runas-3.11.1/runas-3.11.1: NO
PRIVILEDGE for GOBBLES for command: [-GOBBLES] [%s%s%s]
Segmentation fault (core dumped)
Bugtraq, here we come!
main()->checkAccess()->syslogCommandNOPRIV()->errorMsg()->syslogMsg()
469 while (msglen > nonterminated_syslog_buflen) {
470 (void) strncpy(syslog_buf, msg, nonterminated_syslog_buflen);
471 syslog_buf[syslog_bufsize] = (char) NULL;
472 delimiter = strrchr(syslog_buf, SPACE); /* split on space
boundary */
473
474 if (delimiter == NULL) { /* No space found */
475 msg_position = nonterminated_syslog_buflen;
476 syslog_buf[msg_position + 1] = (char) NULL;
477 } else {
478 msg_position = nonterminated_syslog_buflen - strlen(delimiter);
479 syslog_buf[msg_position] = (char) NULL;
480 }
481 (void) syslog(priority, syslog_buf);
482 msglen -= msg_position;
483 msg += msg_position + 1;
484 }
485 if (msg != NULL) {
486 (void) syslog(priority, msg);
487 }
488 } /* syslogMsg */
Hehe, can you spot off-by-one heap-based overflow?!?! Similar function as
sudo vuln function hehehe. Identical class of product too hehehe. Maybe
Illuminati behind this conspiracy lololololololololololololololololol.
But easy to see fmtstringerizer hole there with syslog().
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic