List Info

Thread: Re: *BSD user-ppp local root (when conditions permit)
Re: *BSD user-ppp local root (when conditions permit)
country flaguser name
Russian Federation		 2008-03-01 17:06:34 
Good day.

Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherrgmail.com
wrote:
> I just tested this on FreeBSD 6.3. This bug was
discovered on NetBSD. It also works on OpenBSD (unconfirmed
on 4.2)
> 
> Steps to reproduce:
> 
> 1. Run ppp
> 
> 2. type the following (or atleat some variation of)
> 
>
~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> This will produce a segmentation violation (Core
dumped).

Yes, good catch: looks like stack-based buffer overflow. 
Also works
on FreeBSD 7.0.  Could you please test the following rough
patch --
it seem to cure the situation.  Although it is a bit late
for
today and I will recheck it more carefully tomorrow.

diff --git a/usr.sbin/ppp/systems.c
b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
 -82,6
+82,10  InterpretArg(const char *from, char *to)
     from++;
 
   while (*from != '') {
+    if (to >= endto) {
+	*endto = '';
+	return from;
+    }
     switch (*from) {
       case '"':
         instring = !instring;
 -97,6
+101,10  InterpretArg(const char *from, char *to)
             *to++ = '\';	/* Pass the escapes on, maybe
skipping # */
             break;
         }
+	if (to >= endto) {
+		*endto = '';
+		return from;
+	}
         *to++ = *from++;
         break;
       case '$':
 -127,6
+135,10  InterpretArg(const char *from, char *to)
             *ptr++ = *from;
           *ptr = '';
         }
+	if (to >= endto) {
+		*endto = '';
+		return from;
+	}
         if (*to == '')
           *to++ = '$';
         else if ((env = getenv(to)) != NULL) {
 -142,6
+154,10  InterpretArg(const char *from, char *to)
         if (len == 0)
           pwd = getpwuid(ID0realuid());
         else {
+	  if (to + len >= endto) {
+		*to = '';
+		return from;
+	  }
           strncpy(to, from, len);
           to[len] = '';
           pwd = getpwnam(to);

Thank you!
-- 
Eygene
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )