Vulnerability Development mailing list archives
/usr/bin/which overflow
From: "enthh () FLASH NET" <enthh () FLASH NET>
Date: Thu, 8 Feb 2001 17:23:07 -0500
Hello, I have recently found a buffer overflow in Slackware 4.0, and 7.0.0's /usr/bin/which (I assume others). It overflows at about 985 bytes, and although its not setuid(), alot of programs use which to find system files, indirectly causing other programs to overflow. I don't know much about the program (and there's no use for an exploit), although I have a few questions. Is it a heap or stack-based overflow? How do you know? Is it a format string bug as well? Below is a copy of which.c /* which - C version of the unix/csh 'which' command * vix 23jul86 [written] * vix 24jul86 [don't use dynamic memory] */ #include <stdio.h> static char *myname; main(argc, argv) int argc; char *argv[]; { char *getenv(), *path = getenv("PATH"); myname = argv[0]; for (argc--, argv++; argc; argc--, argv++) if (0 != which(*argv, path)) exit(1); exit(0); } static which(name, path) char *name, *path; { char test[1000], *pc, *malloc(), save; int len, namelen = strlen(name), found; pc = path; found = 0; while (*pc != '\0' && found == 0) { len = 0; while (*pc != ':' && *pc != '\0') { len++; pc++; } save = *pc; *pc = '\0'; sprintf(test, "%s/%s", pc-len, name); *pc = save; if (*pc) pc++; found = (0 == access(test, 01)); /* executable */ if (found) puts(test); } if (found == 0) { printf("%s: no %s in (%s)\n", myname, name, path); return 1; } return 0; } Any information would be greatly appreciated.
Current thread:
- /usr/bin/which overflow enthh () FLASH NET (Feb 08)