chkrootkit (part #2)
Subsequently to the previous bug http://blog.infosectcbr.com.au/2018/03/chkrootkit.html
int main(int argc, char*argv[]) {
int fh_wtmp;
int fh_lastlog;
struct lastlog lastlog_ent;
struct utmp utmp_ent;
long userid[MAX_ID];
long i, slot;
int status = 0;
long wtmp_bytes_read;
struct stat wtmp_stat;
struct s_localpwd *localpwd;
uid_t *uid;
int quiet = 0;
char wtmpfile[128], lastlogfile[128];
memcpy(wtmpfile, WTMP_FILENAME, 127);
memcpy(lastlogfile, LASTLOG_FILENAME, 127);
int main(int argc, char*argv[]) {
int fh_wtmp;
int fh_lastlog;
struct lastlog lastlog_ent;
struct utmp utmp_ent;
long userid[MAX_ID];
long i, slot;
int status = 0;
long wtmp_bytes_read;
struct stat wtmp_stat;
struct s_localpwd *localpwd;
uid_t *uid;
int quiet = 0;
char wtmpfile[128], lastlogfile[128];
memcpy(wtmpfile, WTMP_FILENAME, 127);
memcpy(lastlogfile, LASTLOG_FILENAME, 127);
while (--argc && ++argv) /* poor man getopt */
{
if (!memcmp("-f", *argv, 2))
{
if (!--argc)
break;
++argv;
memcpy(wtmpfile, *argv, 127);
}
else if (!memcmp("-l", *argv, 2))
{
if (!--argc)
break;
++argv;
memcpy(lastlogfile, *argv, 127);
}
else if (!memcmp("-q", *argv, 2))
{
quiet = 1;
}
}
lastlogfile and wtmpfile stack buffers are not guaranteed to be nul terminated. Also, a buffer overread. Why, oh why are they using memcpy instead of a string copy?