BugTraq
Back to list
|
Post reply
uml_net bug
May 24 2003 01:10AM
Ktha (ktha hushmail com)
(1 replies)
Re: uml_net bug
May 26 2003 03:26PM
3APA3A (3APA3A SECURITY NNOV RU)
Dear Ktha,
The problem is different: uml_net shouldn't be suid.
http://rhn.redhat.com/errata/RHSA-2003-056.html
Details:
An updated kernel-utils package is available that removes the setuid bits
incorrectly assigned to the uml_net binary.
--Saturday, May 24, 2003, 5:10:07 AM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
K> There is a vulnerability in uml_net. The latest version is vulnerable too.
K> The problem is the lack of bounds checking in uml_net.c from uml_utilities,
K> A possible attack could lead to root compromise on some systems since for
K> example uml_net comes suided root in RH 8.0 by default.
K> Let's look over the code:
K> * int n = 3, v;
K> we observe how "v" is declared, as a signed integer.
K> with a little bit of "luck" will end up here, knowing that "v" will get
K> the value of the first parameter (an integer) given to the program:
K> * if(v > CURRENT_VERSION)
K> so... if "v" is smaller than 0, the test will be passed but "v" will not
K> be between 0 and CURRENT_VERSION as the author would expected to.
K> after some tests on the second parameter of the program... we should
K> arrive to this code:
K> * if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);
K> here it is called the function located at handlers[v]. by suplying a large
K> negative integer for "v", handlers[v] can point to the stack which can be
K> controlled by the user. so, the program can be fooled to call a user
K> controlled "function".
K> since the root privileges are not dropped till this point... the user code
K> will be executed with super-user privileges.
K> Suggested patch: uml_net.c
K> - if(v > CURRENT_VERSION){
K> + if ((v > CURRENT_VERSION) || (v < 0)) {
K> Contact: ktha (at) hushmail (dot) com [email concealed]
--
~/ZARAZA
You know my name - look up my number (Beatles)
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
The problem is different: uml_net shouldn't be suid.
http://rhn.redhat.com/errata/RHSA-2003-056.html
Details:
An updated kernel-utils package is available that removes the setuid bits
incorrectly assigned to the uml_net binary.
--Saturday, May 24, 2003, 5:10:07 AM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
K> There is a vulnerability in uml_net. The latest version is vulnerable too.
K> The problem is the lack of bounds checking in uml_net.c from uml_utilities,
K> A possible attack could lead to root compromise on some systems since for
K> example uml_net comes suided root in RH 8.0 by default.
K> Let's look over the code:
K> * int n = 3, v;
K> we observe how "v" is declared, as a signed integer.
K> with a little bit of "luck" will end up here, knowing that "v" will get
K> the value of the first parameter (an integer) given to the program:
K> * if(v > CURRENT_VERSION)
K> so... if "v" is smaller than 0, the test will be passed but "v" will not
K> be between 0 and CURRENT_VERSION as the author would expected to.
K> after some tests on the second parameter of the program... we should
K> arrive to this code:
K> * if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);
K> here it is called the function located at handlers[v]. by suplying a large
K> negative integer for "v", handlers[v] can point to the stack which can be
K> controlled by the user. so, the program can be fooled to call a user
K> controlled "function".
K> since the root privileges are not dropped till this point... the user code
K> will be executed with super-user privileges.
K> Suggested patch: uml_net.c
K> - if(v > CURRENT_VERSION){
K> + if ((v > CURRENT_VERSION) || (v < 0)) {
K> Contact: ktha (at) hushmail (dot) com [email concealed]
--
~/ZARAZA
You know my name - look up my number (Beatles)
[ reply ]