InfoSect's Month of Pointless Bugs (#26)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #26

In bsdgames/sail

int
lo_main(void)
{
        FILE *fp;
        char sbuf[32];

...

       while (fread((char *)&log, sizeof log, 1, fp) == 1 &&
               log.l_name[0] != '\0') {
                if (longfmt && (pass = getpwuid(log.l_uid)) != NULL)
                        sprintf(sbuf, "%10.10s (%s)", log.l_name, pass->pw_name);
                else
                        sprintf(sbuf, "%20.20s", log.l_name);
   

Lets look at what the max username length is on my specific system:

$ getconf LOGIN_NAME_MAX
256

Now if we combine this with the fact the calls to setegid() don't check the return value and may fail (see http://blog.infosectcbr.com.au/2018/02/infosects-month-of-pointless-bugs-3.html)  we may have a bug chain leading to a stack overflow at the privilege of gid games.

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

InfoSect's Month of Pointless Bugs (#1, #2)