2000-11-14 09:29:55

by Olaf Kirch

[permalink] [raw]
Subject: Re: More modutils: It's probably worse.

On Tue, Nov 14, 2000 at 12:06:32AM +0100, Michal Zalewski wrote:
> Maybe I am missing something, but at least for me, modprobe
> vulnerabilities are exploitable via privledged networking services,
> nothing more.

Maybe not. ncpfs for instance has an ioctl that seems to allow
unprivileged users to specify a character set (codepage in m$speak)
that's requested via load_nls(), which in turn does a

sprintf(buf, "nls_%s", codepage);
request_module(buf);

Yummy.

The vfat file system contains code to obtain the charset name from
the media. Currently, the charset name is always "cp<number>", but
who knows, maybe next month will see another Microsoft extension to
ISO9660 that lets you specify an NLS name as a string?

Everyone is fixing modutils right now. Fine, but what about next
year's modutils rewrite?

This is why I keep repeating over and over again that we should make
sure request_module _does_not_ accept funky module names. Why allow
people to shoot themselves (and, by extension, all other Linux users
out there) in the foot?

Olaf

PS: The load_nls code tries to check for buffer overflows, but
gets it wrong:

struct nls_table *nls;
char buf[40];

if (strlen(charset) > sizeof(buf) - sizeof("nls_"))
fail;
sprintf(buf, "nls_%s", charset);

This will accept charset names of up to 35 characters,
because sizeof("nls_") is 5. This gives you a single NUL byte
overflow. Whether it's dangerous or not depends on whether your
compiler reserves stack space for the *nls pointer or not...

--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
[email protected] | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
[email protected] +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.