Bug #12523
closed
Buffer overflow in w and whodo
100%
Description
CVE-2020-2771
From [[https://github.com/0xdea/advisories/blob/master/2020-07-solaris-whodo-w.txt]]:
raptor@stalker:~$ id uid=100(raptor) gid=10(staff) raptor@stalker:~$ cp /usr/bin/sleep AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA raptor@stalker:~$ exec -a '- BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB' ./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 256 & [switch to another shell] raptor@stalker:~$ whodo -l # or w 12:43pm up 5 day(s), 20 hr(s), 36 min(s) 5 user(s) User tty login@ idle JCPU PCPU what raptor vt/7 Tue 2pm 6days 1:49 1:49 /usr/lib/tracker-miner-apps Segmentation FaultThe analysis from that:
- The psinfo structure info is populated by reading /proc/<pid>/psinfo
- The char array info.pr_fname16 is copied into the char array
up->p_comm[80+1] - As a side note, the call to strncpy() at lines 344-345 incorrectly uses the
size of the source buffer instead of the size of the destination buffer, but
in this case this programming mistake doesn't cause a problem, because the
source buffer is always smaller than the destination buffer:
(void) strncpy(up->p_comm, info.pr_fname,
sizeof (info.pr_fname)); - The char array up->p_args[80+1] is then populated at line 418 based on the
char array info.pr_psargs80 as follows:
(void) strcpy(up->p_args, info.pr_psargs); - If up->p_args begins with "?" or "- " (or, more correctly, with "-" followed
by any byte <= 0x20), the following code branch at lines 423-425 is taken:
(void) strcat(up->p_args, " (");
(void) strcat(up->p_args, up->p_comm);
(void) strcat(up->p_args, ")"); - In detail, the following chars are appended to the string:
" (" + up->p_comm [maximum size excluding NULL-terminator is 15] + ")" + NULL - Therefore, it is possible to overflow the up->p_args buffer at most as
follows: * Buffer is 81 bytes: "- " + "B"x77 + " (" * Overflow is 17 bytes: "A"x15 + ")" + NULL
As noted in the original disclosure, the bug does not appear to be currently exploitable (however there's no guarantee that can't change in the future). We should fix the overflow and proactively further harden w and whodat.
Related issues
Updated by Jason King over 3 years ago
To test, I ran the steps to reproduce the segfault as described in the original vulnerability disclosure (and verified the unmodified binaries do segfault). I then ran the fixed versions and verified the steps to reproduce no longer segfault.
In addition, I ran w and whodo with all their misc flags both as root and as a non-root user and compared the output to the unmodified versions to verify there were no regressions in the output.
Updated by Jason King over 3 years ago
- Subject changed from Buffer overflow in w and whodat to Buffer overflow in w and whodo
Updated by Electric Monk over 3 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 6a79a30125dbfeba7eb8ef0a9cd3a8206f644043
commit 6a79a30125dbfeba7eb8ef0a9cd3a8206f644043
Author: Jason King <jason.king@joyent.com>
Date: 2020-04-18T19:43:50.000Z
12523 Buffer overflow in w and whodo
Reviewed by: Peter Tribble <peter.tribble@gmail.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Yuri Pankov <ypankov@fastmail.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>
Updated by Andy Fiddaman over 3 years ago
- Related to Bug #12683: w(1) and whodo(1) should silently skip dirs it cannot open added