InfoSect's Month of Pointless Bugs (#20)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #20

There is a null pointer dereference in bsdgames/sail. If argv is NULL, then strrchr will segfault. It's not exploitable. It's interesting because sail is sgid games.

int
main(int argc, char **argv)
{
        char *p;
        int a,i;
        int fd;

        gid = getgid();
        egid = getegid();
        setegid(gid);

        fd = open("/dev/null", O_RDONLY);
        if (fd < 3)
                exit(1);
        close(fd);

        srandom((u_long)time(NULL));

        if ((p = strrchr(*argv, '/')) != NULL)
                p++;
        else
                p = *argv;

To trigger:

$ cat hack.c
#include <unistd.h>
int
main(int argc, char *argv[])
{
execve(argv[1], NULL, NULL);

}
$ gcc hack.c -o /tmp/a.out
$ /tmp/a.out /usr/games/sail 
Segmentation fault


Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)