|
Vulnerability /usr/bin/which Affected Slackware 4.0, 7.0 Description 'enthh' posted following. He has recently found a buffer overflow in Slackware 4.0, and 7.0.0's /usr/bin/which (others?). It overflows at about 985 bytes, and although its not setuid(), alot of programs use which to find system files, indirectly causing other programs to overflow. Do an exploit as an exercize. /* which - C version of the unix/csh 'which' command * vix 23jul86 [written] * vix 24jul86 [don't use dynamic memory] */ #include <stdio.h> static char *myname; main(argc, argv) int argc; char *argv[]; { char *getenv(), *path = getenv("PATH"); myname = argv[0]; for (argc--, argv++; argc; argc--, argv++) if (0 != which(*argv, path)) exit(1); exit(0); } static which(name, path) char *name, *path; { char test[1000], *pc, *malloc(), save; int len, namelen = strlen(name), found; pc = path; found = 0; while (*pc != '\0' && found == 0) { len = 0; while (*pc != ':' && *pc != '\0') { len++; pc++; } save = *pc; *pc = '\0'; sprintf(test, "%s/%s", pc-len, name); *pc = save; if (*pc) pc++; found = (0 == access(test, 01)); /* executable */ if (found) puts(test); } if (found == 0) { printf("%s: no %s in (%s)\n", myname, name, path); return 1; } return 0; } Solution Nothing yet.