bin/65175: buffer overrun in timedc

Serge van den Boom svdb+freebsd-bugs at stack.nl
Sun Apr 4 15:00:39 PDT 2004 

>Number:         65175
>Category:       bin
>Synopsis:       buffer overrun in timedc
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 04 15:00:38 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Serge van den Boom
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
M.C.G.V. Stack
>Environment:
System: FreeBSD toad.stack.nl 4.9-STABLE FreeBSD 4.9-STABLE #12: Fri Feb 6 12:18:35 CET 2004 jilles at vwww.stack.nl:/vwww.mnt/sources/4.x/obj/vwww.mnt/sources/4.x/sys/toad_vwww i386

>Description:
	There exists a buffer overrun in timedc, which is installed setuid
	root per default.
	In interactive mode, if you enter a command, a pointer to each of
	the arguments is stored in the global array 'margv'.
	The problem is that the array is declared with size 20, and
	no bounds checks are done when filling this array.
	Fortunately, the command string, from which the array is filled, is
	no longer than 200 characters, allowing for only a limited range of
	memory which can be overwritten.
	On the system where I examined this bug, nothing exploitable seems
	to be in this range [1], however using a different architecture or
	compiler/linker, this may be different.
	If such an exploit would be possible, this would not directly
	lead to root privileges, as these are given up as one of the
	first things in the program. It would however leave the attacker
	with an udp socket bound to a privileged port, and a raw icmp socket.
		
	[1] The command string itself IS within the overwritable range, and
	it is possible to overwrite its terminating '\0', which would cause
	the command line parsing to go on for too long. As there are not
	many variables after that in the memory page, and the end of the page
	is still a long way off, another '\0' will inevitably be encountered
	before any harm can be done.

>How-To-Repeat:
	$ timedc
	timedc> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a

>Fix:
	Delete timed/timedc and use ntpd/ntpdc.



>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list