pwdx argv buffer overflow vulnerability

[Imran Ghory <imranghory () gmail com>]

[posting to vuln-dev as while the program isn't setuid, other programs
which rely on it may be running as root may inherit it's
vulnerability. A patch for this vuln has been submited to the
maintainer of the Procps package.]

================================
pwdx argv buffer overflow vulnerability
================================

Software: pwdx (part of the procps package)
Version: Procps 3.2.5
Software URL: <http://procps.sourceforge.net/>
Platform:  Linux.
Vulnerability type: Buffer overflow
Severity: Low if pwdx is not setuid, high otherwise.
Attacker requires: Ability to affect argument being passed to pwdx
when run with privileges
Attack result: Privilege escalation by arbitrary code execution.

Vulnerable software
====================

pwdx included with Procps 3.2.5 and previous versions running on linux.

I am not aware of any distribution which includes pwdx as setuid,
however given its nature it may well be called by programs/scripts
which are setuid or run by a privileged user. As such the
vulnerability lays primarily in users assuming that this program is
safe.

Vulnerability
==============

In pwdx.c:

    if (regexec(&re, argv[i], 0, NULL, 0) != 0) {
              sprintf(buf, "pwdx: invalid process id: %s\n",
argv[i]); // FIXME (overflow)
              die(buf);
         }

If it is unable to find a process id matching argv[1] it sprintf's it
to a fixed length character array. Further more the function
die(char*) has a format string vulnerability due to it being
implemented in the following way:

   static void die(const char *msg)
   {
    fprintf(stderr, msg);
    exit(1);
   }

Workaround
===========

Do not setuid this program and if running the program as a privileged
user ensure that any untrusted user is unable to control the arguments
passed to pwdx.