[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulnwatch
Subject:    [VulnWatch] GOBBLES #10: root hole in (linux) runas
From:       Rain Forest Puppy <rfp () vulnwatch ! org>
Date:       2001-11-30 23:49:47
[Download RAW message or body]


GOBBLES (www.bugtraq.org) has released an advisory concerning a format
string vuln in the logging of the runas app available from
http://metagame.org/runas/ (nothing to do with Windows runas).  Since only
10% of the advisory deals with the problem, I'm going to include the
appropriate excerpt below; however, those with the bandwidth can
read the full thing online at GOBBLES site:

http://www.bugtraq.org/dev/GOBBLES-10.txt

- rfp


TECHNICAL DETAILS
*****************

bash-2.05$ ./runas -GOBBLES "%s%s%s"
./runas: on /dev/ttyp2 in /usr/home/GOBBLES/runas-3.11.1/runas-3.11.1: NO
PRIVILEDGE for GOBBLES for command: [-GOBBLES] [%s%s%s]
Segmentation fault (core dumped)

Bugtraq, here we come!

main()->checkAccess()->syslogCommandNOPRIV()->errorMsg()->syslogMsg()

469   while (msglen > nonterminated_syslog_buflen) {
470     (void) strncpy(syslog_buf, msg, nonterminated_syslog_buflen);
471     syslog_buf[syslog_bufsize] = (char) NULL;
472     delimiter = strrchr(syslog_buf, SPACE);     /* split on space
boundary */
473
474     if (delimiter == NULL) {                    /* No space found */
475       msg_position = nonterminated_syslog_buflen;
476       syslog_buf[msg_position + 1] = (char) NULL;
477     } else {
478       msg_position = nonterminated_syslog_buflen - strlen(delimiter);
479       syslog_buf[msg_position] = (char) NULL;
480     }
481     (void) syslog(priority, syslog_buf);
482     msglen -= msg_position;
483     msg += msg_position + 1;
484   }
485   if (msg != NULL) {
486     (void) syslog(priority, msg);
487   }
488 } /* syslogMsg */

Hehe, can you spot off-by-one heap-based overflow?!?! Similar function as
sudo vuln function hehehe. Identical class of product too hehehe. Maybe
Illuminati behind this conspiracy lololololololololololololololololol.

But easy to see fmtstringerizer hole there with syslog().



[prev in list] [next in list] [prev in thread] [next in thread]