--Boundary_(ID_UHfEtbfMJUT3z1WSSt+taw)
Content-id: <Pine.BSF.3.96.971106113000.18568I@cows.mc.net>
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
I checked the archives, not a word of this was to be found so here
goes.
First off, my o/s:
FreeBSD xxxxxx 2.2.1-RELEASE
Upon running su today, which is obviously setuid on most systems,
I used the argument '--' instead of '-'. This caused it to seg fault. I
ran gdb on it and found the problem was in a getpwnam() call. here is the
source.
-- FreeBSD su.c (line 175)--
}
/* get target login information, default to root */
---> if ((pwd = getpwnam(user)) == NULL) { <---
errx(1, "unknown login: %s", user);
}
-- end --
It turns out an earlier call to getopt() returns eof, yet it
still thinks it has an extra argument for the username, which it doesnt,
so it points user to argv[2], which is null. It then calls getpwnam() with
the null argument, as shown in the code, and the getpwnam() function in
libc tries to do an strlen() on the null pointer and seg faults. End of
program.
Exploitable in any way? I have no idea. I would be very
interesting in comments on this if it is exploitable. Attached to this is
a small patch which checks to see if user is valid or not before making
the getpwnam() call. Again this patch is meant for FreeBSD su only. I
tried this same thing on sun and linux and it didnt seem to work.
-taz
------------------------------------------------------------------------
taz on IRC
taz@dal.net
--Boundary_(ID_UHfEtbfMJUT3z1WSSt+taw)
Content-id: <Pine.BSF.3.96.971106111455.18568D@cows.mc.net>
Content-type: TEXT/PLAIN; NAME=su.patch; CHARSET=US-ASCII
Content-description:
Content-disposition: ATTACHMENT; FILENAME=su.patch
Content-transfer-encoding: BASE64
LS0tIHN1LmMJVGh1IE5vdiAgNiAxMTowNTozNyAxOTk3DQorKysgZ29vZHN1
LmMJVGh1IE5vdiAgNiAxMTowNDozMiAxOTk3DQpAQCAtMTc0LDYgKzE3NCwx
MCBAQA0KIAkJCWlzY3NoID0gTk87DQogCQl9DQogDQorCS8qIGlmIHVzZXIg
aXMgbnVsbCwgZXhpdCAqLw0KKwlpZighdXNlcikNCisJCWVycngoMSwgInN5
bnRheCBlcnJvciIpOw0KKw0KIAkvKiBnZXQgdGFyZ2V0IGxvZ2luIGluZm9y
bWF0aW9uLCBkZWZhdWx0IHRvIHJvb3QgKi8NCiAJaWYgKChwd2QgPSBnZXRw
d25hbSh1c2VyKSkgPT0gTlVMTCkgew0KIAkJZXJyeCgxLCAidW5rbm93biBs
b2dpbjogJXMiLCB1c2VyKTsNCg==
--Boundary_(ID_UHfEtbfMJUT3z1WSSt+taw)--