[16790] in bugtraq
Re: SUID wrapper (was Re: (fwd) Re: Format String Attacks)
daemon@ATHENA.MIT.EDU (Drazen Kacar)
Fri Sep 15 13:01:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000915083111.A2577@svarozic.srce.hr>
Date: Fri, 15 Sep 2000 08:31:11 +0200
Reply-To: Drazen Kacar <dave@SRCE.HR>
From: Drazen Kacar <dave@SRCE.HR>
X-To: "Granquist, Lamont" <lamont@ICOPYRIGHT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0009141620030.17836-100000@enki.corp.icopyright.com>; from lamont@ICOPYRIGHT.COM on Thu,
Sep 14, 2000 at 04:22:35PM -0700
Granquist, Lamont wrote:
> Instead of reinventing the wheel:
>
> http://cegt201.bradley.edu/~im14u2c/wrapper/
>
> That is Joe Zbiciak's suid wrapper which has been around for 3+ years.
Umm... The first function in the source is:
#include <ctype.h>
static inline
int word_wrap(char * s, int len)
{
int i,j;
for (i=j=0; *s && i<len; s++,i++)
if (isspace(*s)) j=i;
if (j==0 || !*s) j=i-1;
return j;
}
One shouldn't call isspace() and friends with char pointer as an argument.
You're going to get strange results if some character is greater than 127.
And I don't know what happens in locales which don't use single byte
encoding.
I'm not saying it's exploitable, but I don't have trust in correct operation
of programs which do this kind of thing. And this is even supposed to be
setuid program.
--
.-. .-. I don't work for my employer.
(_ \ / _)
| dave@srce.hr
| dave@fly.srk.fer.hr
