TUCoPS :: Linux :: Slackware :: which.htm

Slackware /user/bin/which buffer overflow
Vulnerability

    /usr/bin/which

Affected

    Slackware 4.0, 7.0

Description

    'enthh' posted following.  He has recently found a buffer overflow
    in  Slackware  4.0,  and  7.0.0's  /usr/bin/which  (others?).   It
    overflows at about 985 bytes, and although its not setuid(),  alot
    of programs  use which  to find  system files,  indirectly causing
    other programs to overflow.  Do an exploit as an exercize.

    /* which - C version of the unix/csh 'which' command
     * vix 23jul86 [written]
     * vix 24jul86 [don't use dynamic memory]
     */
    
    #include <stdio.h>
    
    static char *myname;
    
    main(argc, argv)
    int argc;
    char *argv[];
    {
     char *getenv(), *path = getenv("PATH");
    
     myname = argv[0];
     for (argc--, argv++;  argc;  argc--, argv++)
      if (0 != which(*argv, path))
       exit(1);
     exit(0);
    }
    
    static which(name, path)
    char *name, *path;
    {
     char test[1000], *pc, *malloc(), save;
     int len, namelen = strlen(name), found;
    
     pc = path;
     found = 0;
     while (*pc != '\0' && found == 0)
     {
      len = 0;
      while (*pc != ':' && *pc != '\0')
      {
       len++;
       pc++;
      }
    
      save = *pc;
      *pc = '\0';
      sprintf(test, "%s/%s", pc-len, name);
      *pc = save;
      if (*pc)
       pc++;
    
      found = (0 == access(test, 01)); /* executable */
      if (found)
       puts(test);
     }
     if (found == 0)
     {
      printf("%s: no %s in (%s)\n", myname, name, path);
      return 1;
     }
     return 0;
    }

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH