| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030524011007.5654.qmail@www.securityfocus.com>
Date: 24 May 2003 01:10:07 -0000
From: Ktha <ktha@...hmail.com>
To: bugtraq@...urityfocus.com
Subject: uml_net bug
There is a vulnerability in uml_net. The latest version is vulnerable too.
The problem is the lack of bounds checking in uml_net.c from uml_utilities,
A possible attack could lead to root compromise on some systems since for
example uml_net comes suided root in RH 8.0 by default.
Let's look over the code:
* int n = 3, v;
we observe how "v" is declared, as a signed integer.
with a little bit of "luck" will end up here, knowing that "v" will get
the value of the first parameter (an integer) given to the program:
* if(v > CURRENT_VERSION)
so... if "v" is smaller than 0, the test will be passed but "v" will not
be between 0 and CURRENT_VERSION as the author would expected to.
after some tests on the second parameter of the program... we should
arrive to this code:
* if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);
here it is called the function located at handlers[v]. by suplying a large
negative integer for "v", handlers[v] can point to the stack which can be
controlled by the user. so, the program can be fooled to call a user
controlled "function".
since the root privileges are not dropped till this point... the user code
will be executed with super-user privileges.
Suggested patch: uml_net.c
- if(v > CURRENT_VERSION){
+ if ((v > CURRENT_VERSION) || (v < 0)) {
Contact: ktha@...hmail.com
Powered by blists - more mailing lists