|
|
|
|
| |
"procps is a package that has a few small useful utilities that give information about processes using the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill, free, slabtop, and skill."
A buffer overflow vulnerability has been discovered in argument handling of pwdx utility supplied with Procps. |
| |
Credit:
The information has been provided by Imran Ghory.
|
| |
Vulnerable Systems:
* pwdx included with Procps versions 3.2.5 and prior
There seems there is no distribution which includes pwdx as setuid, however given its nature it may well be called by programs/scripts which are setuid or run by a privileged user. As such the vulnerability lays primarily in users assuming that this program is safe.
Buffer Overflow Vulnerability:
In pwdx.c:
if (regexec(&re, argv[i], 0, NULL, 0) != 0)
{
printf(buf, "pwdx: invalid process id: %s\n", argv[i]); // FIXME (overflow)
die(buf);
}
If it is unable to find a process id matching argv[1] it sprintf's it to a fixed length character array. Further more the function die(char*) has a format string vulnerability due to it being implemented in the following way:
static void die(const char *msg)
{
fprintf(stderr, msg);
exit(1);
}
Workaround:
Do not setuid this program and if running the program as a privileged user ensure that any untrusted user is unable to control the arguments passed to pwdx.
|
|
|
|
|
|
|
