[15354] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Peter da Silva)
Thu Jun 15 14:43:18 2000
Message-Id: <200006151544.KAA0000009515@grendel.eng.baileynm.com>
Date: Thu, 15 Jun 2000 10:44:07 -0500
Reply-To: Peter da Silva <peter@SCARYDEVIL.ORG>
From: Peter da Silva <peter@SCARYDEVIL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <87bt184i7z.fsf@arabella.intern.opera.no>
In article <87bt184i7z.fsf@arabella.intern.opera.no> you write:
> Always check the return value of system calls. Always. Always.
> Always.
[...]
> cap_user_header_t header;
> cap_user_data_t data;
> header = malloc(8);
> data = malloc(12);
> header->pid = 0;
> header->version = _LINUX_CAPABILITY_VERSION;
> data->inheritable = data->effective = data->permitted = 0;
Two bugs here:
1. If sizeof(cap_user_header_t) or sizeof(cap_user_data_t)
increases, you'll get a buffer overflow in the malloc()ed
data. This isn't as bad as a buffer overflow on stack,
because it's almost impossible to exploit for anything but
a DOS attack, but it's easy to avoid:
header = malloc(sizeof (cap_user_header_t) );
data = malloc(sizeof (cap_user_data_t) );
2. Ironically, you're not checking the return value of a system
call, namely brk() or sbrk() (or maybe mmap(), depending on
how they're implementing malloc() in Lunix these days). Before
using header or data, check that malloc() succeeded.
if(! (header = malloc(sizeof (cap_user_header_t) ) ) ) {
perror("malloc: header");
return or exit();
}
if(! (data = malloc(sizeof (cap_user_data_t) ) ) ) {
perror("malloc: data");
return or exit();
}
> capset(header, data);
I don't have a recent Linux box to check, but isn't this a system call?
If this fails, what happens? In the sample code, nothing bad... but if
you don't get in the habit of automatically writing robust code you're
going to be reading one of these alerts some day with your name on it...
as the victim.
(and if I missed something in the code above, go ahead and stamp all over
my face, I know I've shipped broken code broken in the past... they say
there's no saint like a converted sinner)
