Bugtraq mailing list archives

Re: L0pht Advisory: modstat

From: eivind () DIMAGA COM (Eivind Eklund)
Date: Tue, 10 Dec 1996 11:29:16 +0100

                         L0pht Security Advisory
                      Advisory released Dec 9 1996

                          Application: modstat

                Vulnerability Scope: systems with the *BSD
                   distribution of modstat sgid kmem

                       Author: mudge () l0pht com

The problem exists in the dostat() routine where an arbitrary sized string
is shoved into sbuf.name through a strcpy().


Here is a patch for FreeBSD 2.1.6 (should be extremely similar on other BSD
4.4  derivates)

75,80c75,77
<       if (modname != NULL) {
<               strncpy(sbuf.name, modname, sizeof(sbuf.name));
<               sbuf.name[sizeof(sbuf.name)-1] = 0; /* Ensure termination */
<       } else {
<               sbuf.name[0] = 0;
<       }
---

      if (modname != NULL)
              strcpy(sbuf.name, modname);


This also fix a minor bug with an uninitialized printf() %s parameter if
passed a NULL modname.
--
Eivind Eklund             gopher://nic.follonett.no:79/0eivind
Work: eivind () dimaga com   http://www.dimaga.com/
Home: perhaps () yes no      http://maybes.yes.no/perhaps/
All of the above is a product of either your or my imagination, and not
official.

Current thread:

Re: L0pht Advisory: modstat Eivind Eklund (Dec 10)
- Re: L0pht Advisory: modstat J Wunsch (Dec 11)
- CIAC Bulletin H-13: IBM AIX(r) Security Vulnerabilities David Crawford (Dec 11)
- <Possible follow-ups>
- Re: L0pht Advisory: modstat Jason R. Mastaler (Dec 10)