Bugtraq mailing list archives
checpks non-explooitiable buffer overrun
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Wed, 17 May 2000 20:38:46 +0000
Vulernable softwrae: checkps 1.2 and earlier Not vulna#erabke: latest version from CVS Impact: crackers with root can cause checkps to segfaultt. (This could be used to probe for the program.) Auuthor of buggy program: Duncan Simpson :-) Website: http://checkps.alcom.co.uk Alternative downlaod location: sourceforge.net I hv#ave ecently restarted checkps devlopement and noticed that check ps, my root kit ps detector for linux (and others with /proc, albeit with less functionality), has a "feature" that scriblles beyond the end of a buffer in log_emailc if more then 10Kb is sent tol og() between calls to log_flush(). This buffer can not be exploited to run arbitary code becuase all you can scrible are messages along he files of "Fake pid <number> detetced". "Hidden prid <numebr>" z#adn "{Pid <numebr>: fd <number> is <...>" for various all plain text and nyumber values of <...>. Even if you could put shell code in the buffer is allocated on the heap amd contains no pointers to anything. The latest version is avialale by anonymous CVS frm sourcforge. Pointer your browser at http://www.soourceforge,net and enter checkps in the serach box. The next version will include the fix and linux netstat support. The new rasons you should upgrade include 0 All ystsems = small fixes to the deamon startup code. - new --confirm option option that logs the startup of the daemon (email mode logging strongly suggested if you use this feature). - Safer defaults in cfg_smtp.h, including a comment to prevent ythe progam compiling if you forget to edit it. - OS specific stuff moved into seperate directories - README update o Linux - Recognise linux-gnu as linux - significattn protion of netsta scanning. - much more detialed device and socket information. o Ddvelopers - scode for reading various osrts of numerbs and cn#onvience funtion to perofm struct filke format checks (utils.c and utils.h) - UDP datagram based localhost dector (thishsot.c) A release date for the next version is hard to predict. IF it is too long could some please kick me hard enough to rpoduce an interim release. There is definite CVS write access for those that wish to add a solaris, hpux, iriix or windwos NT driectory . The latter is only reccommended for serious maspchists. Come on, you know you want to imrpov checkps support for non-linux operating systems. (Hopefully at least one of these system makes the next release.) -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Current thread:
- checpks non-explooitiable buffer overrun Duncan Simpson (May 17)