SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#20851

SGI IRIX df buffer overflow in directory argument

Overview

I. Description

The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path.

Due to insufficient bounds checking on either directory or block device arguments which are supplied by users, it is possible to overwrite the internal stack space of the df program while it is executing. By supplying a carefully designed argument to the df program, intruders may be able to force df to execute arbitrary code. Since df is setuid root, this will allow intruders to run arbitrary code with root privileges.

II. Impact

This vulnerability may allow local users to gain root privileges.

III. Solution

Apply the patched provided by SGI.

1. Remove setuid perms, and execute perms from df.

% chmod u-s `which df`

2. Use the AUSCERT wrapper

The source for the wrapper, including installation instructions, can
be found at:

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c


An extract from AA-97.19.IRIX.df.buffer.overflow.vul:

This wrapper replaces the df program and checks the length of the command line arguments which are passed to it.  If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the df command.  The wrapper program can also be configured to syslog any failed attempts to execute df with arguments exceeding MAXARGLEN.  For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with df, AUSCERT recommends defining MAXARGLEN to be 32.

Systems Affected

VendorStatusDate NotifiedDate Updated
SGIVulnerable22-Jun-1998
SGIVulnerable15-Dec-2000

References


ftp://sgigate.sgi.com/security/19970505-01-A
ftp://sgigate.sgi.com/security/19970505-02-PX
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.19.IRIX.df.buffer.overflow.vul
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
http://xforce.iss.net/static/440.php

Credit

This document was written by Jeff S Havrilla.

Other Information

Date Public:97-05-24
Date First Published:2000-12-15
Date Last Updated:2000-12-15
CERT Advisory:CA-1997-21
CVE-ID(s):CVE-1999-0025
NVD-ID(s):CVE-1999-0025
US-CERT Technical Alerts: 
Metric:14.06
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2000 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader