[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030810011227.5888.qmail@www.securityfocus.com>
Date: 10 Aug 2003 01:12:27 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: PST Linux Advisor--------Dsh-0.24.0 in debian has a home env
Buffer Overflow Vulnerability
========================================
Ph4nt0m Security Advisory #2003--8-10
========================================
Dsh-0.24.0 in debian has a home env Buffer Overflow
Vulnerability
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail: jsk@...nt0m.net
Advisory Number : pst-2003--8-10-004
name : dsh
versions : 0.24.0 possible in 0.24.1
Vendor : http://fresh.t-systems-sfr.com/linux/src/dsh-
0.24.0.tar.gz
summary : Local&remote
os(s) : *nix
***************************************************************************
**
Description : the bug should be in debian os,Successful exploitation
could
result in arbitrary code execution with potentially elevated privileges.
***************************************************************************
**
具体漏洞:
***************************************************************************
**
dsh.c
main(int ac, char ** av)
{
char *buf=NULL;
setlocale (LC_ALL, "");
if (!textdomain(PACKAGE_NAME))
{
if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR))
fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE);
}
load_configfile(DSH_CONF);
if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) <
0).............lol
{
fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE);
exit (1);
}
load_configfile(buf);
free (buf);
asprintf的定义:
nt asprintf(char **strp, const char *fmt, ...)
{
ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number
*/.............lol
*strp = malloc(buflen);
if (*strp)
{
va_list ap;
va_start(ap, fmt);
vsnprintf(*strp, buflen, fmt, ap);..................................lol
va_end(ap);
return buflen;
}
hey:
getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow......
***************************************************************************
**********************
By "jsk" (akun), in ph4nt0m.net(c) Security.
E-mail:jsk@...nt0m.net
ph4nt0m Security Team: http://www.ph4nt0m.net
My World: http://jsk.ph4nt0m.net
MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc
Powered by blists - more mailing lists