In kill.cc there exists the possibility to overflow the char buf[80]
array by supplying malformed command line arguments.
An attacker could use this to overwrite the return value on the stack
and execute arbitrary code, but the amount of space available on the
stack for shellcode is approx 108 bytes so you'd have to be mighty
creative to do anything significant with it. A far-fetched scenario
might be some kind of perl or other CGI script running under Apache that
somehow allows a user-specified signal name to reach the command line of
/bin/kill. Emphasis on the far-fetched part though.
Example:
$ /bin/kill -s `perl -e 'print Ax200'`
Segmentation fault (core dumped)
As far as I can tell from CVS history this has existed in kill.cc since
its first version (~5 years.) Trivial patch below.
2005-02-26 Brian Dessent [EMAIL PROTECTED]
* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.Index: winsup/utils/kill.cc
===
RCS file: /cvs/src/src/winsup/utils/kill.cc,v
retrieving revision 1.25
diff -u -p -r1.25 kill.cc
--- winsup/utils/kill.cc13 Nov 2004 16:30:19 - 1.25
+++ winsup/utils/kill.cc27 Feb 2005 02:29:40 -
@@ -87,7 +87,7 @@ getsig (const char *in_sig)
sig = in_sig;
else
{
- sprintf (buf, SIG%s, in_sig);
+ snprintf (buf, sizeof(buf), SIG%s, in_sig);
sig = buf;
}
intsig = strtosigno (sig) ?: atoi (in_sig);
