Vulnerability
/usr/bin/which
Affected
Slackware 4.0, 7.0
Description
'enthh' posted following. He has recently found a buffer overflow
in Slackware 4.0, and 7.0.0's /usr/bin/which (others?). It
overflows at about 985 bytes, and although its not setuid(), alot
of programs use which to find system files, indirectly causing
other programs to overflow. Do an exploit as an exercize.
/* which - C version of the unix/csh 'which' command
* vix 23jul86 [written]
* vix 24jul86 [don't use dynamic memory]
*/
#include <stdio.h>
static char *myname;
main(argc, argv)
int argc;
char *argv[];
{
char *getenv(), *path = getenv("PATH");
myname = argv[0];
for (argc--, argv++; argc; argc--, argv++)
if (0 != which(*argv, path))
exit(1);
exit(0);
}
static which(name, path)
char *name, *path;
{
char test[1000], *pc, *malloc(), save;
int len, namelen = strlen(name), found;
pc = path;
found = 0;
while (*pc != '\0' && found == 0)
{
len = 0;
while (*pc != ':' && *pc != '\0')
{
len++;
pc++;
}
save = *pc;
*pc = '\0';
sprintf(test, "%s/%s", pc-len, name);
*pc = save;
if (*pc)
pc++;
found = (0 == access(test, 01)); /* executable */
if (found)
puts(test);
}
if (found == 0)
{
printf("%s: no %s in (%s)\n", myname, name, path);
return 1;
}
return 0;
}
Solution
Nothing yet.
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.
