Date: Tue, 15 Aug 2000 22:24:31 -0700 From: Ben Lull <ben@VALLEYLOCAL.COM> Subject: Stack Overflow Vulnerability in procps's top To: BUGTRAQ@SECURITYFOCUS.COM Description: The utility top, included with the procps package in Slackware Linux, contains multiple buffer overruns. Although the top utility is not sXid by default, it is still a problem. Through security comes stability, and by creating secure applications, you will in turn, create stable applications. The overflows occur in two different places. When a call to strcpy() is made, it copies the environmental variable HOME into the buffer rcfile[1024] without bounds checking. Reproduction: Included with this post is proof of concept code (topoff.c) for Slackware Linux 7.0.0 and 7.1.0. Simply remove the comment in front of '#define RET' for the version of Slackware which you are testing and compile. When run, the result will be a execve()'ed /bin/sh. You can also verify that your version of top is vulnerable by setting the environment HOME to a string greater then 1023 bytes. Solution: A patch for the most current version of procps (procps-2.0.6) is attached to this post. Obtain procps-2.0.6 from any Slackware distribution site under the source/a/procps/ directory. Unpack procps-2.0.6.tar.gz and apply the included patch (procps-2.0.6.patch). Credits: I'd like to actually say thank you to my boss for not getting on my case when I stray from my work to play with things such as this. Notes: For reference, you can see all previous posts at http://www.skunkware.org/security/advisories/ - Ben ************************ * Ben Lull * * Valley Local Internet, Inc * * Systems Administrator * ************************