*BSD user-ppp local root (when conditions permit)

Eygene Ryabinkin rea-sec at codelabs.ru
Sat Mar 1 23:17:21 UTC 2008 

Good day.

Fri, Feb 29, 2008 at 04:39:03PM -0000, sipherr at gmail.com wrote:
> I just tested this on FreeBSD 6.3. This bug was discovered on NetBSD. It also works on OpenBSD (unconfirmed on 4.2)
> 
> Steps to reproduce:
> 
> 1. Run ppp
> 
> 2. type the following (or atleat some variation of)
> 
> ~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> This will produce a segmentation violation (Core dumped).

Yes, good catch: looks like stack-based buffer overflow.  Also works
on FreeBSD 7.0.  Could you please test the following rough patch --
it seem to cure the situation.  Although it is a bit late for
today and I will recheck it more carefully tomorrow.

diff --git a/usr.sbin/ppp/systems.c b/usr.sbin/ppp/systems.c
index 77f06a1..0cf01d1 100644
--- a/usr.sbin/ppp/systems.c
+++ b/usr.sbin/ppp/systems.c
@@ -82,6 +82,10 @@ InterpretArg(const char *from, char *to)
     from++;
 
   while (*from != '\0') {
+    if (to >= endto) {
+	*endto = '\0';
+	return from;
+    }
     switch (*from) {
       case '"':
         instring = !instring;
@@ -97,6 +101,10 @@ InterpretArg(const char *from, char *to)
             *to++ = '\\';	/* Pass the escapes on, maybe skipping \# */
             break;
         }
+	if (to >= endto) {
+		*endto = '\0';
+		return from;
+	}
         *to++ = *from++;
         break;
       case '$':
@@ -127,6 +135,10 @@ InterpretArg(const char *from, char *to)
             *ptr++ = *from;
           *ptr = '\0';
         }
+	if (to >= endto) {
+		*endto = '\0';
+		return from;
+	}
         if (*to == '\0')
           *to++ = '$';
         else if ((env = getenv(to)) != NULL) {
@@ -142,6 +154,10 @@ InterpretArg(const char *from, char *to)
         if (len == 0)
           pwd = getpwuid(ID0realuid());
         else {
+	  if (to + len >= endto) {
+		*to = '\0';
+		return from;
+	  }
           strncpy(to, from, len);
           to[len] = '\0';
           pwd = getpwnam(to);

Thank you!
-- 
Eygene

More information about the freebsd-security mailing list