Re: Possible buffer overflows = security problem?
On Fri, Sep 05, 2003 at 04:26:55PM +0100, Thomas Horsten wrote:
> Hi Frank,
>
> On Fri, 5 Sep 2003, Frank Lichtenheld wrote:
>
> > char path[256];
> > sprintf( path, "some string/%s", packagename);
> >
> > There are no further checks as I can see. I'm not very experienced in C
> > programming and don't know much about the details of exploiting buffer
> > overflows or the like...
> >
> > Is such code (away from the fact that it can easily lead to segfaults) a
> > security problem?
>
> This depends on the context of the code. Generally speaking:
>
> If the data (packagename, in your case), comes from an insecure source,
> e.g. a command line argument or a value otherwise provided by the user, it
> may be possible to craft a string that will overflow the stack in such a
> way that an embedded piece of assembler code will be executed.
Hmm, the input in this case are /var/lib/dpkg/status and theoretically
/var/lib/apt/lists/*_Packages but this is broken anyway because the
program has a hardcoded /var/state/apt in it...
> This code will be run with the same privileges that your program has.
> Obviously, if the program is run from a normal shell by a normal user, and
> it is not SetUID, this would normally not be considered a security issue.
> But if the program is SetUID or SetGID, this would allow the attacker to
> e.g. start a shell (by calling exec) with those privileges.
The program is installed as /usr/sbin/magpie but can be called by any user.
The question that remains is: Does this require a security update for
the woody version of the package? Or should I just try to get this
fixed in the next release (of the package)?
Gruesse,
--
Frank Lichtenheld <frank@lichtenheld.de>
www: http://www.djpig.de/
Reply to: