SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libc Vendors:   GNU [multiple authors]
(OpenBSD Issues Fix) 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007398
SecurityTracker URL:  http://securitytracker.com/id/1007398
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 4 2003
Impact:   Denial of service via local system, Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.3.2
Description:   A buffer overflow vulnerability was reported in libc. A remote or local user may be able to crash an application, execute arbitrary code, or gain elevated privileges on the target system. The specific impact depends on the applications that use the vulnerable realpath() function in libc.

It is reported that a user can supply a specially crafted pathname that is 1024 characters in length to the realpath() function. If the pathname string contains two or more directory separators, a buffer can be overwritten with a single byte (NULL).

The impact depends on the application that uses the vulnerable function, the underlying operating system, and other factors.

This vulnerability was originally reported in Alert ID #1007353 on July 31, 2003 (CVE: CVE-2003-0466) as a flaw in wu-ftpd. However, according to FreeBSD, the vulnerability resides in the underlying 'libc' realpath() function.

Janusz Niewiadomski <funkysh@isec.pl> and Wojciech Purczynski <cliph@isec.pl> are credited with reporting this flaw.

Impact:   A remote or local user may be able to cause the system to crash or arbitrary code to be executed. The specific impact depends on the application that uses the affected function.
Solution:   OpenBSD has released a fix in OpenBSD-current and the 3.2 and 3.3 -stable branches.

The following patches are available for OpenBSD 3.2 and 3.3:

Patch for OpenBSD 3.2:

ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/014_realpath.patch

Patch for OpenBSD 3.3:

ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch

Users of OpenBSD prior to versions 3.2 can download the updated version of realpath.c and then rebuild and install libc with this updated version:

ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c

Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.3 and prior versions

Message History:   This archive entry is a follow-up to the message listed below.
Aug 4 2003 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  off-by-one error in realpath(3)


An off-by-one error exists in the C library function realpath(3).
This is the same bug that was recently found in the wu-ftpd ftpd
server by Janusz Niewiadomski and Janusz Niewiadomski.

The OpenBSD ftp daemon does not use realpath(3) in a way that could
be exploited, however a number of other system binaries also use
the function.  It is not currently known whether or not this bug
results in an exploitable security hole on OpenBSD.  Since the bug
led to an exploitable hole in wu-ftpd, it is entirely possible that
some program using realpath(3) under OpenBSD may be vulnerable to
attack.  For OpenBSD 3.3 and higher, the ProPolice stack protector
should provide some protection from this bug, but this cannot be
guaranteed.

This bug has been fixed in OpenBSD-current as well as the 3.2 and
3.3 -stable branches.  Patches are available for OpenBSD 3.2 and 3.3.

Patch for OpenBSD 3.2:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/014_realpath.patch

Patch for OpenBSD 3.3:
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/001_realpath.patch

For versions of OpenBSD prior to 3.2, users may simply fetch
the current revision of realpath.c from:
    ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c
then rebuild and install libc with the new realpath.c.

For more details, see the description of the wu-ftpd fp_realpath bug:
    http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC