Project

General

Profile

Actions

Bug #12523

closed

Buffer overflow in w and whodo

Added by Jason King about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cmd - userland programs
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

CVE-2020-2771

From [[https://github.com/0xdea/advisories/blob/master/2020-07-solaris-whodo-w.txt]]:

raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ cp /usr/bin/sleep AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
raptor@stalker:~$ exec -a '- BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB' ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 256 &
[switch to another shell]
raptor@stalker:~$ whodo -l # or w
 12:43pm  up 5 day(s), 20 hr(s), 36 min(s)  5 user(s)
User     tty           login@  idle   JCPU   PCPU  what
raptor   vt/7         Tue 2pm 6days   1:49   1:49  /usr/lib/tracker-miner-apps
Segmentation Fault
The analysis from that:
  • The psinfo structure info is populated by reading /proc/<pid>/psinfo
  • The char array info.pr_fname16 is copied into the char array
    up->p_comm[80+1]
  • As a side note, the call to strncpy() at lines 344-345 incorrectly uses the
    size of the source buffer instead of the size of the destination buffer, but
    in this case this programming mistake doesn't cause a problem, because the
    source buffer is always smaller than the destination buffer:
    (void) strncpy(up->p_comm, info.pr_fname,
    sizeof (info.pr_fname));
  • The char array up->p_args[80+1] is then populated at line 418 based on the
    char array info.pr_psargs80 as follows:
    (void) strcpy(up->p_args, info.pr_psargs);
  • If up->p_args begins with "?" or "- " (or, more correctly, with "-" followed
    by any byte <= 0x20), the following code branch at lines 423-425 is taken:
    (void) strcat(up->p_args, " (");
    (void) strcat(up->p_args, up->p_comm);
    (void) strcat(up->p_args, ")");
  • In detail, the following chars are appended to the string:
    " (" + up->p_comm [maximum size excluding NULL-terminator is 15] + ")" + NULL
  • Therefore, it is possible to overflow the up->p_args buffer at most as
    follows: * Buffer is 81 bytes: "- " + "B"x77 + " (" * Overflow is 17 bytes: "A"x15 + ")" + NULL

As noted in the original disclosure, the bug does not appear to be currently exploitable (however there's no guarantee that can't change in the future). We should fix the overflow and proactively further harden w and whodat.


Related issues

Related to illumos gate - Bug #12683: w(1) and whodo(1) should silently skip dirs it cannot openClosedJason King

Actions
Actions #1

Updated by Jason King about 2 years ago

To test, I ran the steps to reproduce the segfault as described in the original vulnerability disclosure (and verified the unmodified binaries do segfault). I then ran the fixed versions and verified the steps to reproduce no longer segfault.

In addition, I ran w and whodo with all their misc flags both as root and as a non-root user and compared the output to the unmodified versions to verify there were no regressions in the output.

Actions #2

Updated by Jason King about 2 years ago

  • Subject changed from Buffer overflow in w and whodat to Buffer overflow in w and whodo
Actions #3

Updated by Electric Monk about 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 6a79a30125dbfeba7eb8ef0a9cd3a8206f644043

commit  6a79a30125dbfeba7eb8ef0a9cd3a8206f644043
Author: Jason King <jason.king@joyent.com>
Date:   2020-04-18T19:43:50.000Z

    12523 Buffer overflow in w and whodo
    Reviewed by: Peter Tribble <peter.tribble@gmail.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Yuri Pankov <ypankov@fastmail.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions #4

Updated by Andy Fiddaman about 2 years ago

  • Related to Bug #12683: w(1) and whodo(1) should silently skip dirs it cannot open added
Actions

Also available in: Atom PDF