[12266] in bugtraq
Re: execve bug linux-2.2.12
daemon@ATHENA.MIT.EDU (visi0n)
Mon Oct 18 14:39:25 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.991016031655.521B-100000@variola.chinatown.org>
Date: Sat, 16 Oct 1999 03:20:14 +0000
Reply-To: visi0n <visi0n@AUX-TECH.ORG>
From: visi0n <visi0n@AUX-TECH.ORG>
X-To: ben@VALINUX.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199910160007.RAA04857@trill.valinux.com>
Whoa, I think the kernel 2.0.38 has the same bug, and one more,
in the count() function to check how many argv's the bin have, he dont
check for max number of argv's. This is worse than the bug found in
2.2.12 execve().
===============================================================================
visi0n
AUX TECHNOLOGIES
www.aux-tech.org
On Fri, 15 Oct 1999 ben@VALINUX.COM wrote:
> While doing some debugging, I discovered a really nasty stack smash
> bug in linux-2.2.12. The I haven't checked previous versions of the
> 2.2 kernel but bug appears to be fixed in linux-2.2.13pre17.
>
> If I am reading this correctly, the implications of this bug could be
> very dire. It may be possible to easily obtain root privilege on any
> box running this kernel.
>
> Basically the problem is that the execve system call checks that argv
> is a valid pointer but it doesn't check that all of the pointers in
> argv array are valid pointers. If you pass bad pointers into the
> execve system call you can corrupt the processes stack before it
> returns to user space. Then when the kernel hands off the process to
> the elf loader code and which begins to setup the processes it can be
> made to execute some malicious code in place of the program's main
> function.
>
> This is particularly scary because all of this occurs BEFORE the
> program begins executing its main function and AFTER the program
> returns to user space with privilege. Therefore no matter how well
> audited the program may be it can be used as to gain privilege.
>
> The thing that tipped me off to the problem was that a program that I
> exec'd was getting killed with SIGSEGV in __libc_start_main before my
> main function began running.
>
> -ben
>
