InfoSect's Month of Pointless Bugs (#21)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #21

In bsdgames/phantasia

int
main(argc, argv)
        int     argc;
        char  **argv;
{
        bool    noheader = FALSE;       /* set if don't want header */
        bool    headeronly = FALSE;     /* set if only want header */
        bool    examine = FALSE;        /* set if examine a character */
        time_t  seconds;                /* for time of day */
        double  dtemp;                  /* for temporary calculations */

        initialstate();                 /* init globals */

...

void
initialstate()
{
        struct stat sb;

        Beyond = FALSE;
        Marsh = FALSE;
        Throne = FALSE;
        Changed = FALSE;
        Wizard = FALSE;
        Timeout = FALSE;
        Users = 0;
        Windows = FALSE;
        Echo = TRUE;

        /* setup login name */
        if ((Login = getlogin()) == NULL)
                Login = getpwuid(getuid())->pw_name;

...

+++ back to main()

        /* update some important player statistics */
        strcpy(Player.p_login, Login);

+++ how big is Player.p_login?

struct  player          /* player statistics */
    {
    double      p_experience;   /* experience */
    double      p_level;        /* level */
...
    char        p_login[SZ_LOGIN];      /* login */
    };

+++ ok.. so lets look at SZ_LOGIN

#define SZ_LOGIN        9               /* size of login (incl. trailing nul) */

So this code assumes login names are only 8 chars long? Otherwise there is a buffer overflow. The Player structure is in the bss section.

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)