From venglin@freebsd.lublin.pl  Thu May  5 13:44:59 2005
Return-Path: <venglin@freebsd.lublin.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2EEAF16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 May 2005 13:44:59 +0000 (GMT)
Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [193.138.118.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 260D043D31
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 May 2005 13:44:58 +0000 (GMT)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from lagoon.freebsd.lublin.pl (qmailr@lagoon.freebsd.lublin.pl [193.138.118.3])
	by mailhost.freebsd.lublin.pl (8.13.1/8.13.1) with SMTP id j45Diq8P026135
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 5 May 2005 15:44:52 +0200 (CEST)
	(envelope-from venglin@freebsd.lublin.pl)
Received: (qmail 25911 invoked by uid 1001); 5 May 2005 13:44:52 -0000
Message-Id: <20050505134452.25852.qmail@lagoon.freebsd.lublin.pl>
Date: 5 May 2005 13:44:52 -0000
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Reply-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [SECURITY] Missing NULL termination after strncpy() in rlogin(1)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         80661
>Category:       bin
>Synopsis:       [patch] [SECURITY] Missing NULL termination after strncpy() in rlogin(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    simon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 05 13:50:04 GMT 2005
>Closed-Date:    Sun Jun 12 14:29:23 GMT 2005
>Last-Modified:  Sun Jun 12 14:29:23 GMT 2005
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.11-STABLE i386
>Organization:
czuby.net
>Environment:
System: FreeBSD lagoon.freebsd.lublin.pl 4.11-STABLE FreeBSD 4.11-STABLE #0: Tue Feb 8 12:36:09 CET 2005 root@riget.scene.pl:/usr/src/sys/compile/RIGET i386
>Description:

	usr.bin/rlogin/rlogin.c:
#ifdef KERBEROS
                case 'k':
                        dest_realm = dst_realm_buf;
                        (void)strncpy(dest_realm, optarg, REALM_SZ);
                        break;
#endif

	Dest_realm buffer isn't NULL terminated if sizeof(optarg) == REALM_SZ
	leading to possible security vulnerability. Rlogin client
	is setuid root and offending code is executed before dropping
	privs.

	The bug is present only in RELENG_4 if rlogin is compiled
	with Kerberos support. RELENG_5 is dekerberized and therefore
	not buggy.

>How-To-Repeat:
	N/A
>Fix:

--- usr.bin/rlogin/rlogin.c.old Thu May  5 15:41:13 2005
+++ usr.bin/rlogin/rlogin.c     Thu May  5 15:42:46 2005
@@ -228,7 +228,7 @@
 #ifdef KERBEROS
                case 'k':
                        dest_realm = dst_realm_buf;
-                       (void)strncpy(dest_realm, optarg, REALM_SZ);
+                       (void)strlcpy(dest_realm, optarg, REALM_SZ);
                        break;
 #endif
                case 'l':

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: simon 
State-Changed-When: Sun May 29 15:33:56 GMT 2005 
State-Changed-Why:  
We (the Security Team) can't find anywhere in the code-path where this 
bug where this could lead to a situation that could be exploited as a 
security vulnerability.  You could crash rlogin, but not in a way 
which would cause it to execute arbitrary cod as root.  Have you found 
any explicit place this bug could be exploited? 

In any case, I have committed the patch to RELENG_4 since not NUL 
terminating the buffer is certainly a bug, even it's not a security 
bug. 

Thanks for the report.  I'm keeping the PR open in feedback state for 
now, since I would like to hear comments from Przemyslaw Frasunek 
before totally closing this issue. 


Responsible-Changed-From-To: freebsd-bugs->simon 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sun May 29 15:33:56 GMT 2005 
Responsible-Changed-Why:  
I will handle followups. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80661 
State-Changed-From-To: feedback->closed 
State-Changed-By: simon 
State-Changed-When: Sun Jun 12 14:28:21 GMT 2005 
State-Changed-Why:  
Close the PR since the submitter agrees that this does not seem 
exploitable. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=80661 
>Unformatted:
