[11691] in bugtraq
Re: Babcia Padlina Ltd. security advisory: mars_nwe buffer
daemon@ATHENA.MIT.EDU (Taneli Huuskonen)
Sat Sep 4 08:09:05 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <199909020221.FAA10060@sirppi.helsinki.fi>
Date: Thu, 2 Sep 1999 05:21:59 +0300
Reply-To: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
From: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
X-To: venglin@FREEBSD.LUBLIN.PL
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990830200449.54656.qmail@lagoon.FreeBSD.lublin.pl> from
"Przemyslaw Frasunek" at Aug 30, 99 02:31:46 pm
-----BEGIN PGP SIGNED MESSAGE-----
Przemyslaw Frasunek writes:
@@ -103,11 +103,11 @@
uint8 command[500];
struct stat statb;
if (!stat(newname, &statb)) return(EEXIST);
if (stat(oldname, &statb)) return(-1);
else if (!S_ISDIR(statb.st_mode)) return(-1);
- - sprintf(command, "mv %s %s 2>&1 >/dev/null" , oldname, newname);
+ snprintf(command, sizeof(command)-1, "mv %s %s 2>&1 >/dev/null" , oldname, newname);
return(system(command));
}
Without seeing the context, I can't say for sure, but this looks like a
hole big enough to drive a truck through - calling system( ) with
user-supplied arguments. If this code is running with superuser
privileges and shell metacharacters haven't been removed very carefully,
there's going to be a trivial exploit.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQB1AwUBN83eygUw3ir1nvhZAQGNzQL/cP/NqiAyq9Pmf5QhPCvSGdbE9LFukkZ+
bJDqmaiQ9l7P/GZcUT1wkEsvE+pS2HI+g6sKyqFzcMgpmov7ojX9oHtpfFdqgJdX
djlXi5LI1PKS4/0jVcUBNQt6mInRyHHO
=Jf2q
-----END PGP SIGNATURE-----
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
