Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Debian :: bt867.txt

Dsh-0.24.0 in debian has a home env Buffer Overflow Vulnerability







                            ========================================

                             Ph4nt0m Security Advisory #2003--8-10

                            ========================================



              Dsh-0.24.0 in debian has a home env Buffer Overflow 

Vulnerability





By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail: jsk@ph4nt0m.net 





Advisory Number : pst-2003--8-10-004

name              : dsh

versions          : 0.24.0 possible in 0.24.1

Vendor           : http://fresh.t-systems-sfr.com/linux/src/dsh-

0.24.0.tar.gz

summary           : Local&remote

os(s)            : *nix

 

***************************************************************************

**

Description : the bug should be in  debian os,Successful exploitation 

could 



result in arbitrary code execution with potentially elevated privileges. 



***************************************************************************

**

具体漏洞:

***************************************************************************

**



dsh.c



main(int ac, char ** av)

{

  char *buf=NULL;

  

  setlocale (LC_ALL, "");

  if (!textdomain(PACKAGE_NAME))

    {

      if (!bindtextdomain(PACKAGE_NAME, LOCALEDIR))

	fprintf (stderr, "%s: failed to call bindtextdomain\n", PACKAGE);

    }

  

  

  

  load_configfile(DSH_CONF);

  if (asprintf (&buf, "%s/.dsh/dsh.conf", getenv("HOME")) < 

0).............lol

    {

      fprintf (stderr, _("%s: asprintf failed\n"), PACKAGE);

      exit (1);

    }  

  load_configfile(buf);

  free (buf);





asprintf&#30340;&#23450;&#20041;&#65306;



nt asprintf(char **strp, const char *fmt, ...)

{

  ssize_t buflen = 50 * strlen(fmt); /* pick a number, any number 

*/.............lol

  *strp = malloc(buflen);



  if (*strp)

  {

    va_list ap;

    va_start(ap, fmt);

    vsnprintf(*strp, buflen, fmt, ap);..................................lol

    va_end(ap);

    return buflen;

  } 

hey:



getenv("HOME") >50*strlen(%s/.dsh/dsh.conf)  ......buf overflow......

***************************************************************************

**********************

By "jsk" (akun), in ph4nt0m.net(c) Security.

E-mail:jsk@ph4nt0m.net 

ph4nt0m Security Team: http://www.ph4nt0m.net 

My World: http://jsk.ph4nt0m.net

MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH