BugTraq
PST Linux Advisor--------Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability Aug 10 2003 01:12AM
yan feng (jsk ph4nt0m net)


========================================

Ph4nt0m Security Advisory #2003--8-10

========================================

Dsh-0.24.0 in debian has a home env Buffer Overflow

Vulnerability

By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail: jsk (at) ph4nt0m (dot) net [email concealed]

Advisory Number : pst-2003--8-10-004

name : dsh

versions : 0.24.0 possible in 0.24.1

Vendor : http://fresh.t-systems-sfr.com/linux/src/dsh-

0.24.0.tar.gz

summary : Local&remote

os(s) : *nix

************************************************************************
***

**

Description : the bug should be in debian os,Successful exploitation

could

result in arbitrary code execution with potentially elevated privileges.

************************************************************************
***

**

具体漏洞:

************************************************************************
***

**

dsh.c

main(int ac, char ** av)

{

char *buf=NULL;

setlocale (LC_ALL, "");

if (!textdomain(PACKAGE_NAME))

{

if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR))

fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE);

}

load_configfile(DSH_CONF);

if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) <

0).............lol

{

fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE);

exit (1);

}

load_configfile(buf);

free (buf);

asprintf的定义:

nt asprintf(char **strp, const char *fmt, ...)

{

ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number

*/.............lol

*strp = malloc(buflen);

if (*strp)

{

va_list ap;

va_start(ap, fmt);

vsnprintf(*strp, buflen, fmt, ap);..................................lol

va_end(ap);

return buflen;

}

hey:

getenv("HOME") >50*strlen(%s/.dsh/dsh.conf) ......buf overflow......

************************************************************************
***

**********************

By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail:jsk (at) ph4nt0m (dot) net [email concealed]

ph4nt0m Security Team: http://www.ph4nt0m.net

My World: http://jsk.ph4nt0m.net

MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus