From svdb@stack.nl  Sun Apr  4 14:55:59 2004
Return-Path: <svdb@stack.nl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1430016A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  4 Apr 2004 14:55:59 -0700 (PDT)
Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5EE8C43D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  4 Apr 2004 14:55:58 -0700 (PDT)
	(envelope-from svdb@stack.nl)
Received: from toad.stack.nl (zen.stack.nl [2001:610:1108:5010::130])
	by mailhost.stack.nl (Postfix) with ESMTP id 4070846D#6C9B81F017
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  4 Apr 2004 23:55:57 +0200 (CEST)
Received: by toad.stack.nl (Postfix, from userid 1106)
	id 545417F; Sun,  4 Apr 2004 23:55:57 +0200 (CEST)
Message-Id: <20040404215557.545417F@toad.stack.nl>
Date: Sun,  4 Apr 2004 23:55:57 +0200 (CEST)
From: Serge van den Boom <svdb+freebsd-bugs@stack.nl>
Reply-To: Serge van den Boom <svdb+freebsd-bugs@stack.nl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: buffer overrun in timedc
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         65175
>Category:       bin
>Synopsis:       buffer overrun in timedc
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 04 15:00:38 PDT 2004
>Closed-Date:    Sat Jul 17 22:45:48 GMT 2004
>Last-Modified:  Sat Jul 17 22:45:48 GMT 2004
>Originator:     Serge van den Boom
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
M.C.G.V. Stack
>Environment:
System: FreeBSD toad.stack.nl 4.9-STABLE FreeBSD 4.9-STABLE #12: Fri Feb 6 12:18:35 CET 2004 jilles@vwww.stack.nl:/vwww.mnt/sources/4.x/obj/vwww.mnt/sources/4.x/sys/toad_vwww i386

>Description:
	There exists a buffer overrun in timedc, which is installed setuid
	root per default.
	In interactive mode, if you enter a command, a pointer to each of
	the arguments is stored in the global array 'margv'.
	The problem is that the array is declared with size 20, and
	no bounds checks are done when filling this array.
	Fortunately, the command string, from which the array is filled, is
	no longer than 200 characters, allowing for only a limited range of
	memory which can be overwritten.
	On the system where I examined this bug, nothing exploitable seems
	to be in this range [1], however using a different architecture or
	compiler/linker, this may be different.
	If such an exploit would be possible, this would not directly
	lead to root privileges, as these are given up as one of the
	first things in the program. It would however leave the attacker
	with an udp socket bound to a privileged port, and a raw icmp socket.
		
	[1] The command string itself IS within the overwritable range, and
	it is possible to overwrite its terminating '\0', which would cause
	the command line parsing to go on for too long. As there are not
	many variables after that in the memory page, and the end of the page
	is still a long way off, another '\0' will inevitably be encountered
	before any harm can be done.

>How-To-Repeat:
	$ timedc
	timedc> a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a

>Fix:
	Delete timed/timedc and use ntpd/ntpdc.



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: tjr 
State-Changed-When: Mon Apr 5 02:59:38 PDT 2004 
State-Changed-Why:  
Fixed in -current a few months ago (timedc.c 1.5.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65175 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Sat Jul 17 22:45:01 GMT 2004 
State-Changed-Why:  
Fixed in 4.10-RELEASE and -STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=65175 
>Unformatted:
