Re: sadc Segmentation Fault

[KF <dotslash () snosoft com>]

OpenServer 5.0.6 sadc also causes core dump... 
-KF

VISC Network wrote:
> I just did a quick look at sadc source code included in sysstat-3.3.5
> package (RH 7.1).
>
> /* sadc.c */
>     1214:    char ofile[MAX_FILE_LEN];
>
> ...
>
>     1320:                /* Write data to file */
>     1321:                strcpy(ofile, argv[opt]);
> ..
> // EOF
>
> [redragon@redhat sysstat-3.3.5]$ grep MAX_FILE_LEN *.h
> common.h:#define MAX_FILE_LEN   256
>
> The space reserved in the stack for 'ofile'  is 256bytes. So when running
> the program with an argument longer than 256 characters, the data overflows
> the buffer.
>
> It's easy to write an exp for this bug. But no file in sysstat package has
> suid .. ehe ;-D
>
> Further, not only sadc, there are similar bugs in sysstat package, Ex : sar
> -f `perl -e 'print "A" x 300'`
>
> [redragon@redhat sysstat-3.3.5]$ grep strcpy *.c
> iostat.c:           strcpy(disk_hdr_stats[part_nr++].name, part_hdr.name);
> sadc.c:      strcpy(st_net_dev_i->interface, "?");
> sadc.c:        strcpy(ofile, argv[opt]);
> sadc.c:     strcpy(ofile, new_ofile);
> sar.c:   strcpy(args[i], ltemp);
> sar.c:      strcpy(to_file, argv[opt++]);
> sar.c:      strcpy(to_file, "-");
> sar.c:      strcpy(from_file, argv[opt++]);
> sar.c:      strcpy(time_stamp, argv[opt++]);
> sar.c:      strcpy(time_stamp, DEF_TMSTART);
> sar.c:      strcpy(time_stamp, argv[opt++]);
> sar.c:      strcpy(time_stamp, DEF_TMEND);
> sar.c:         strcpy(ltemp, K_SELF);
> sar.c:      strcpy(ltemp, "1");
>
> The author of systat was notified on this bug.
> Lastest version of systat (4.0.2) is buggy also
>
> ReDragon
> ------------------------------------------------------
> Email: redragon at vnSecurity.net
> http://www.vnSecurity.net
>
> "smackenz" <smackenz () brad ac uk> wrote :
> > Bug with Command::              sadc
> > Located::                       /usr/lib/sa/sadc
> > Date:           Mon Dec  3 21:01:19 GMT 2001
> > Program:        sadc  (/usr/lib/sa/sadc)
> > Problem:        Segmentation fault
> > DESCRIPTION (from man)
> >        The sadc command samples system data a specified number of
> >        times  (  count ) at a specified interval measured in sec
> >        onds ( interval ).
> >        The sadc command is intended to be used as  a  backend  to
> >        the sar command.
> >        The proc filesystem must be mounted for the sadc command to work.
> >        /var/log/sa/sadd  -->  daily report file.
> >
> > I don't know much about this command except it is run with system level
> > privileges by executing /usr/lib/sa/sadc [if you have it on your system].
> > I'm not sure if this command is occasionally run by root from a default
> > install (i.e redhat 7.1) since I have had not time at all to look into it.
> > If anyone knows more about the system usage of this program, there
> > comments would be greatly appreciated.
> > See below for shell examples.
> > -----------------------------------------------
> > [smackenz@mainframe smackenz]$ id
> > uid=1001(smackenz) gid=1001(smackenz) groups=1001(smackenz)
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc Cannot open
> > /var/log/sa/sa03: Permission denied
> > <log files.....>
> > smackenz@mainframe smackenz]$ ps aux |grep sadc
> > smackenz  1608  0.0  0.2  1732  592 pts/1    R    21:14   0:00   grep sadc
> > <not running at all....>
> > Following this as user 'smackenz' I carried out the following commands:
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 200'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 210'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 220'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 230'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 240'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 250'`
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 260'`
> > Cannot open
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
> > File name too long
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 270'`
> > Cannot open
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
> > File name too long
> > etc.... until
> > [smackenz@mainframe smackenz]$ /usr/lib/sa/sadc `perl -e 'print "A" x 290'`
> > Segmentation fault (core dumped)
> > -------------------------------------------------------
> > Later
> > Scott.