unhide (part #1)

In the Linux package unhide, which is rootkit detection software.

// Temporary string for output
char scratch[1000] ;
char cmdcont[1000] ;

...

               size_t length ;
               char myexe[512] ;

               sprintf(myexe,"%s%s/exe",mypath,directory);
//               printf("%s\n",myexe);

               length = readlink(myexe, cmdcont, 1000) ;

This use of readlink() is in a few places in the code. The trouble is that PATH_MAX isn't 1000.

# getconf -a|grep PATH_MAX
PATH_MAX                           4096
_POSIX_PATH_MAX                    4096

This probably leads to a rootkit bypass for unhide.

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

InfoSect's Month of Pointless Bugs (#1, #2)