[11549] in bugtraq
Re: Serious amd problems??
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sat Aug 28 09:52:11 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990826130053.A25458@monad.swb.de>
Date: Thu, 26 Aug 1999 13:00:53 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: typo@scene.at
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990825044002.A22074@boehm.org>; from typo@scene.at on Wed,
Aug 25, 1999 at 04:40:02AM +0200
[Disclaimer: I didn't discover this... I'm just responding to it]
I took a look at the code today. It's the same problem that bit the
Linux mount daemon (I'm so glad I'm not the only stupid person on this
planet). It uses a logging function that happily sprintf's to a fixed
length string on the stack.
The fun part is that if you've tried to play it safe and compiled
amd with --disable-amq-mounts, you're vulnerable, because in
this case it logs (before performing any access checks):
plog(XLOG_ERROR, "client tried to mount %s, but code is disabled",
the_path_specified_by_the_client)
If you've left amq mounts enabled, a similar message will be logged
at level XLOG_INFO, which goes to the bit bucket unless you've manually
increased log verbosity to info or more. However, anybody is able
to increase your log verbosity--no checking involved.
Redhat's bugzilla message (#4690) says the am-utils developers
recommend using 6.0.1s10. Hope that release fixes all the other 192
strcpy/strcat/sprintfs there are in 6.0 as well.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
