On Tue, Nov 14, 2000 at 12:06:32AM +0100, Michal Zalewski wrote:
> Maybe I am missing something, but at least for me, modprobe
> vulnerabilities are exploitable via privledged networking services,
> nothing more.

Maybe not. ncpfs for instance has an ioctl that seems to allow
unprivileged users to specify a character set (codepage in m$speak)
that's requested via load_nls(), which in turn does a

        sprintf(buf, "nls_%s", codepage);
        request_module(buf);

Yummy.

The vfat file system contains code to obtain the charset name from
the media. Currently, the charset name is always "cp<number>", but
who knows, maybe next month will see another Microsoft extension to
ISO9660 that lets you specify an NLS name as a string?

Everyone is fixing modutils right now. Fine, but what about next
year's modutils rewrite?

This is why I keep repeating over and over again that we should make
sure request_module _does_not_ accept funky module names. Why allow
people to shoot themselves (and, by extension, all other Linux users
out there) in the foot?

Olaf

PS: The load_nls code tries to check for buffer overflows, but
    gets it wrong:

        struct nls_table *nls;
        char    buf[40];

        if (strlen(charset) > sizeof(buf) - sizeof("nls_"))
                fail;
        sprintf(buf, "nls_%s", charset);

    This will accept charset names of up to 35 characters,
    because sizeof("nls_") is 5. This gives you a single NUL byte
    overflow. Whether it's dangerous or not depends on whether your
    compiler reserves stack space for the *nls pointer or not...

-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
[EMAIL PROTECTED]  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
[EMAIL PROTECTED]    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.            
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Reply via email to