Buffer overflow in modstat
2f494576788aabd6b420c7bcca416ca2cccb337f9f9800c5552e3e7b3cb7880b
From security-officer@FreeBSD.ORG Tue Dec 10 17:22:37 1996
Date: Tue, 10 Dec 1996 14:03:03 -0600
From: FreeBSD Security Officer <security-officer@FreeBSD.ORG>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Subject: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr (REVISED)
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-96:19 Security Advisory
FreeBSD, Inc.
Topic: Buffer overflow in modstat
Category: core
Module: modstat
Announced: 1996-12-10
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5, 2.1.6, 2.1.6.1
Corrected: FreeBSD-current as of 1996/08/08
FreeBSD only: no
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:19/
=============================================================================
I. Background
The modstat program is used to display status of loaded kernel modules.
It is standard software in the FreeBSD operating system.
II. Problem Description
The modstat program has always been installed setuid kmem. Within
the program, a buffer overflow can occur.
III. Impact
Local users can gain kmem privileges.
IV. Workaround
Modstat does not need to be setuid kmem. It is thus sufficient to
do the following:
su
cd /usr/bin
chmod 555 modstat
This effectively clears the setuid bit on the modstat program.
V. Solution
Apply the following patch:
(This patch can also be found on
ftp://freebsd.org/pub/CERT/patches/SA-96:19)
Index: Makefile
===================================================================
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/Makefile,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
- --- Makefile 1994/08/19 12:14:02 1.1
+++ Makefile 1996/05/30 02:19:03 1.2
@@ -38,7 +38,5 @@
PROG= modstat
MAN8= modstat.8
- -BINGRP= kmem
- -BINMODE=2555
.include <bsd.prog.mk>
Index: modstat.c
===================================================================
RCS file: /home/freebsd/CVS/src/usr.bin/modstat/modstat.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
- --- modstat.c 1995/04/20 05:08:53 1.3
+++ modstat.c 1996/08/08 07:58:07 1.4
@@ -72,8 +72,9 @@
{
struct lmc_stat sbuf;
+ sbuf.name[MAXLKMNAME - 1] = '\0'; /* In case strncpy limits the string. */
if (modname != NULL)
- - strcpy(sbuf.name, modname);
+ strncpy(sbuf.name, modname, MAXLKMNAME - 1);
sbuf.id = modnum;
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer@freebsd.org
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications@freebsd.org
Security public discussion: security@freebsd.org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMq2381UuHi5z0oilAQE99wP+NktTxugo1lrVDm0FVcmqd8c3zu6s95Wt
WCvM9GLECCVB+sFbssbikQc35SvgzEjnE4lZ3J4VBrAoThG3tLOmO5si0csM8dwE
QPGMyR/fdU7DpYXEK/XKuDxre1TDJ0uOwU9DfBewgy0o5OiybRR5dxj3nsJIznnd
F5O6NNppKb0=
=qcrF
-----END PGP SIGNATURE-----