[16266] in bugtraq
Stack Overflow Vulnerability in procps's top
daemon@ATHENA.MIT.EDU (Ben Lull)
Wed Aug 16 13:14:57 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <399A258F.1FBABBF4@valleylocal.com>
Date: Tue, 15 Aug 2000 22:24:31 -0700
Reply-To: ben@valleylocal.com
From: Ben Lull <ben@valleylocal.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Description:
The utility top, included with the procps package in
Slackware Linux, contains multiple buffer
overruns. Although the top utility is not sXid by default,
it is still a problem. Through security comes
stability, and by creating secure applications, you will in
turn, create stable applications. The overflows
occur in two different places. When a call to strcpy() is
made, it copies the environmental variable
HOME into the buffer rcfile[1024] without bounds checking.
Reproduction:
Included with this post is proof of concept code (topoff.c)
for Slackware Linux 7.0.0 and 7.1.0. Simply
remove the comment in front of '#define RET' for the version
of Slackware which you are testing and
compile. When run, the result will be a execve()'ed
/bin/sh. You can also verify that your version of top
is vulnerable by setting the environment HOME to a string
greater then 1023 bytes.
Solution:
A patch for the most current version of procps
(procps-2.0.6) is attached to this post. Obtain
procps-2.0.6 from any Slackware distribution site under the
source/a/procps/ directory. Unpack
procps-2.0.6.tar.gz and apply the included patch
(procps-2.0.6.patch).
Credits:
I'd like to actually say thank you to my boss for not
getting on my case when I stray from my work to
play with things such as this.
Notes:
For reference, you can see all previous posts at
http://www.skunkware.org/security/advisories/
- Ben
************************
* Ben Lull *
* Valley Local Internet, Inc *
* Systems Administrator *
************************
