Vulnerability Development mailing list archives
pwdx argv buffer overflow vulnerability
From: Imran Ghory <imranghory () gmail com>
Date: Tue, 12 Apr 2005 10:04:42 +0100
[posting to vuln-dev as while the program isn't setuid, other programs which rely on it may be running as root may inherit it's vulnerability. A patch for this vuln has been submited to the maintainer of the Procps package.] ================================ pwdx argv buffer overflow vulnerability ================================ Software: pwdx (part of the procps package) Version: Procps 3.2.5 Software URL: <http://procps.sourceforge.net/> Platform: Linux. Vulnerability type: Buffer overflow Severity: Low if pwdx is not setuid, high otherwise. Attacker requires: Ability to affect argument being passed to pwdx when run with privileges Attack result: Privilege escalation by arbitrary code execution. Vulnerable software ==================== pwdx included with Procps 3.2.5 and previous versions running on linux. I am not aware of any distribution which includes pwdx as setuid, however given its nature it may well be called by programs/scripts which are setuid or run by a privileged user. As such the vulnerability lays primarily in users assuming that this program is safe. Vulnerability ============== In pwdx.c: if (regexec(&re, argv[i], 0, NULL, 0) != 0) { sprintf(buf, "pwdx: invalid process id: %s\n", argv[i]); // FIXME (overflow) die(buf); } If it is unable to find a process id matching argv[1] it sprintf's it to a fixed length character array. Further more the function die(char*) has a format string vulnerability due to it being implemented in the following way: static void die(const char *msg) { fprintf(stderr, msg); exit(1); } Workaround =========== Do not setuid this program and if running the program as a privileged user ensure that any untrusted user is unable to control the arguments passed to pwdx.
Current thread:
- pwdx argv buffer overflow vulnerability Imran Ghory (Apr 12)