InfoSect's Month of Pointless Bugs (#26)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #26

In bsdgames/sail

        FILE *fp;
        char sbuf[32];


       while (fread((char *)&log, sizeof log, 1, fp) == 1 &&
               log.l_name[0] != '\0') {
                if (longfmt && (pass = getpwuid(log.l_uid)) != NULL)
                        sprintf(sbuf, "%10.10s (%s)", log.l_name, pass->pw_name);
                        sprintf(sbuf, "%20.20s", log.l_name);

Lets look at what the max username length is on my specific system:

$ getconf LOGIN_NAME_MAX

Now if we combine this with the fact the calls to setegid() don't check the return value and may fail (see  we may have a bug chain leading to a stack overflow at the privilege of gid games.


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)