Bug 11723 - Buffer overflows in kermit could allow elevated privilages
Buffer overflows in kermit could allow elevated privilages
Status: CLOSED RAWHIDE
Product: Red Hat Powertools
Classification: Retired
Component: C-Kermit (Show other bugs)
6.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-05-28 20:37 EDT by SB
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-05-28 20:37:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description SB 2000-05-28 20:37:18 EDT
I've briefly tried out the C-Kermit package from the powertools and noticed
it has several buffer overflows including in (apparently) in all code
dealing with hostname handling.  As kermit is installed as setgid uucp it
could be possible to use the overflows to execute code under the the group
uucp.  I tried to track the bugs down, but the code to C-Kermit is old and
trying to figure it out is like trying to do brain-surgery with a
toothpick.  Here is are a couple of examples of overflows:

[root@king cku197]# ls -al /usr/bin/kermit
-rwxr-sr-x    1 root     uucp      1513808 Mar 29 13:03 /usr/bin/kermit

[root@king cku197]# gdb kermit
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
...
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) run
Starting program: /usr/bin/kermit
C-Kermit 7.0.197, 8 Feb 2000, for Linux
 Copyright (C) 1985, 2000,
  Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/usr/src/redhat/BUILD/cku197/) C-Kermit>lookup <1500 A's>
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0x4831ca9b       1211222683
edx            0x0      0
ebx            0x1      1
esp            0xbfffdee4       0xbfffdee4
ebp            0x41414141       0x41414141
esi            0x825ef50        136703824
edi            0x825f3cd        136704973
eip            0x41414141       0x41414141

And another example:

[root@king cku197]# gdb kermit
GNU gdb 5.0
...
This GDB was configured as "i386-redhat-linux"...(no debugging symbols
found)...
(gdb) run
Starting program: /usr/bin/kermit
C-Kermit 7.0.197, 8 Feb 2000, for Linux
 Copyright (C) 1985, 2000,
  Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
(/usr/src/redhat/BUILD/cku197/) C-Kermit>set host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 DNS Lookup... Can't get address for
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
Can't open connection to
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
eax            0x0      0
ecx            0xc85a6  820646
edx            0x8112402        135341058
ebx            0x2c     44
esp            0xbfffdeb4       0xbfffdeb4
ebp            0x41414141       0x41414141
esi            0x0      0
edi            0x401ab020       1075490848
eip            0x41414141       0x41414141

And there appear to be several more unchecked buffers.  For emphasis look
at these word counted greps of the sourcecode:

[root@king cku197]# grep strcpy *.c | wc -l
    476
[root@king cku197]# grep strncpy *.c | wc -l
    613
[root@king cku197]# grep strncat *.c | wc -l
     31
[root@king cku197]# grep strcat *.c | wc -l
    301
[root@king cku197]# grep sprintf *.c | wc -l
    881
[root@king cku197]# grep snprintf *.c | wc -l
      0
[root@king cku197]# grep sscanf *.c | wc -l
      1
[root@king cku197]# grep fscanf *.c | wc -l
      0
[root@king cku197]# grep fgets *.c | wc -l
     17
[root@king cku197]# grep fputs *.c | wc -l
      4
[root@king cku197]# grep puts *.c | wc -l
     54
[root@king cku197]# grep gets *.c | wc -l
    182
[root@king cku197]# grep "gets(" *.c | wc -l
     14
[root@king cku197]# grep "puts(" *.c | wc -l
     15
[root@king cku197]# grep "vsprintf" *.c | wc -l
      5
[root@king cku197]# grep "execl" *.c | wc -l
      8
[root@king cku197]# grep "execv" *.c | wc -l
      3
[root@king cku197]# grep "exec" *.c | wc -l
    190
[root@king cku197]# grep "popen" *.c | wc -l
      9


Things that stand out are:
801 sprintfs
0 snprintfs
476 strcpys
301 strcats

There seems to be loads of unchecked buffers which would require endless
hours to track down in such poorly organized and outdated code.  My
suggestion is to recommend users to remove the setgid bit from the program,
notify the authors and let them the fix code if they deem it necessary.
Though I'd still be concerned with the number of unchecked buffers that
somebody could easily find someway to exploit one in remotely on a kermit
running in server mode to get remote access to the machine.  I haven't
checked for this kind of attack but there is potential.  Either way, safest
bet is to remove the setgid flag for now, it's more of a risk than a useful
feature.

-Stan Bubrouski
Comment 1 Nalin Dahyabhai 2000-07-19 12:51:32 EDT
Removing the setgid bit in C-Kermit-1.97-3, at least until I can sit
down and sift through it, if I ever do.

Note You need to log in before you can comment on or make changes to this bug.