OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: david evlis reign (davidreignhotmail.com)
Date: Sat May 25 2002 - 03:08:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Local off by one overflow in CVSD.

    intro:
    the family of scanf functions (scanf, sscanf, fscanf) are generally insecure
    in usage and steps have been taken to make them more...secure you might say
    like adding bounds checking (sscanf(hey, "%.4096s %d", buffer, int)) but the
    function still remains quite insecure, to a lesser known bug like an off by
    one.

    WRONG:
    char buf[10];
    int i;
    sscanf(hey, "%.10s", buf); <-- boundary checks ten bytes...

    RIGHT:
    char buf[10];
    int i;
    sscanf(hey, "%.9s" buf); <-- see!

    therefore in the first example (WRONG) the last byte into buf will exeed the
    allocated space (10 bytes) by one byte. woops.
    (http://www.hert.org/papers/klog-1.html <-- nice article)

    details:

    in cvs-1.11/src/rcs.c:
    info = findnode (vers->other_delta, "special");
            if (info != NULL)
            {
                /* If the size of `devtype' changes, fix the sscanf call also */
                char devtype[16]; <-- SIXTEEN BYTES

                if (sscanf (info->data, "%16s %lu", <-- WOOPS SHOULD BE 15
                            devtype, &devnum_long) < 2)
                    error (1, 0, "%s:%s has bad `special' newphrase %s",
                           workfile, vers->version, info->data);
                devnum = devnum_long;
                if (STREQ (devtype, "character"))
                    special_file = S_IFCHR;
                else if (STREQ (devtype, "block"))
                    special_file = S_IFBLK;
                else
                    error (0, 0, "%s is a special file of unsupported type `%s'",
                           workfile, info->data);
            }
        }

    this is only a locally exploitable hole since the data is read from
    info->data which in turn is from a symlinked local file (heh, you know where
    to find it);

    we at der sys have created the following patch:

    __END_OF_PATCH;

    ##########################
    #DER PATCH FOR CVS < 1.11#
    ##########################

    --- rcs_old.c Mon Jan 25 02:05:16 2002
    +++ rcs.c Mon Jan 25 02:05:40 2002

    --- 4238: if (sscanf (info->data, "%16s %lu",
    +++ 4238: if (sscanf (info->data, "%.15s %lu",
                    devtype, &devnum_long) < 2)
                    error (1, 0, "%s:%s has bad `special' newphrase %s",
                    workfile, vers->version, info->data);

    __END_OF_PATCH;

    vendor notification: nope.

    _________________________________________________________________
    MSN Photos is the easiest way to share and print your photos:
    http://photos.msn.com/support/worldwide.aspx