注册
个人空间
allows a user to overwrite the information in a saved stack frame. When
the function returns, the saved frame is popped off of the stack and
user supplied code can be executed.
Example:
> id
uid=621 (mudge) gid=200(users)
> ./cronny -92
Using offset (0xefbfdbc8)
# id
uid=621 (mudge) euid=0(root) gid=200(users)
Description:
When crontab, a suid root program, is run with just a filename as it's
only argument the argument is copied into the variable
Filename[MAX_FNAME].
Since this copy is done via strcpy, no bounds checking is done on the
length of the string being handed in. The code snippit from crontab.c
is as follows:
static char Filename[MAX_FNAME];
...
[ from parse_args(argc, argc) ]
if (argv[optind] != NULL) {
Option = opt_replace;
(void) strcpy (Filename, argv[optind]);
}
By placing a sufficently sized string in argv[1] it is possible to
overwrite
the saved frame on the stack and, upon return from the routine execute
machine codes of the users contruction.
Solution:
One fix to the above problem is to replace the strcpy() with strncpy().
if (argv[optind] != NULL) {
Option = opt_replace;
(void) strncpy(Filename, argv[optind], sizeof(Filename));
}
However, this only takes care of _one_ of the exploitable buffer overflows
in crontab. Finding and fixing the others is left as an excercise to the
readers ;-) [yes, Theo - I know you have already fixed them in OpenBSD!]
Gratuitous plug:
OpenBSD has already fixed these problems in crontab around the date of
the exploit code below, if not a ways before. Talk about an OS with
| 论坛热门帖子: | [lch203] 写得蛮好的linux学习笔记(10-21) [黑马制造] 学习java的30个目标(10-19) [笑傲股林] 做测试半年了,有点迷茫,应该再学些什么提高自己的测试水平和测试能力呢?(10-19) [udp8589] 大家用google的来吱一声? 用百度的~~也来报道下?(10-18) [沂偌掳兆] 本人总结的一些认为C++比较经典的书籍,希望对大家有用(10-18) |
| TAG标签: | 源码 bar argv x89 esp_plus Filename offset optind |
