![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 15 Aug 2000 22:24:31 -0700
From: Ben Lull <ben@VALLEYLOCAL.COM>
Subject: Stack Overflow Vulnerability in procps's top
To: BUGTRAQ@SECURITYFOCUS.COM
Description:
The utility top, included with the procps package in
Slackware Linux, contains multiple buffer
overruns. Although the top utility is not sXid by default,
it is still a problem. Through security comes
stability, and by creating secure applications, you will in
turn, create stable applications. The overflows
occur in two different places. When a call to strcpy() is
made, it copies the environmental variable
HOME into the buffer rcfile[1024] without bounds checking.
Reproduction:
Included with this post is proof of concept code (topoff.c)
for Slackware Linux 7.0.0 and 7.1.0. Simply
remove the comment in front of '#define RET' for the version
of Slackware which you are testing and
compile. When run, the result will be a execve()'ed
/bin/sh. You can also verify that your version of top
is vulnerable by setting the environment HOME to a string
greater then 1023 bytes.
Solution:
A patch for the most current version of procps
(procps-2.0.6) is attached to this post. Obtain
procps-2.0.6 from any Slackware distribution site under the
source/a/procps/ directory. Unpack
procps-2.0.6.tar.gz and apply the included patch
(procps-2.0.6.patch).
Credits:
I'd like to actually say thank you to my boss for not
getting on my case when I stray from my work to
play with things such as this.
Notes:
For reference, you can see all previous posts at
http://www.skunkware.org/security/advisories/
- Ben
************************
* Ben Lull *
* Valley Local Internet, Inc *
* Systems Administrator *
************************