Vulnerability Note VU#20851

SGI IRIX df buffer overflow in directory argument

Original Release date: 15 Dec 2000 | Last revised: 15 Dec 2000

Overview

Description

The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path.

Due to insufficient bounds checking on either directory or block device arguments which are supplied by users, it is possible to overwrite the internal stack space of the df program while it is executing. By supplying a carefully designed argument to the df program, intruders may be able to force df to execute arbitrary code. Since df is setuid root, this will allow intruders to run arbitrary code with root privileges.

Impact

This vulnerability may allow local users to gain root privileges.

Solution

Apply the patched provided by SGI.

1. Remove setuid perms, and execute perms from df.

% chmod u-s `which df`

2. Use the AUSCERT wrapper

The source for the wrapper, including installation instructions, can
be found at:

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c


An extract from AA-97.19.IRIX.df.buffer.overflow.vul:

This wrapper replaces the df program and checks the length of the command line arguments which are passed to it.  If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the df command.  The wrapper program can also be configured to syslog any failed attempts to execute df with arguments exceeding MAXARGLEN.  For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with df, AUSCERT recommends defining MAXARGLEN to be 32.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SGIAffected-22 Jun 1998
SGIAffected-15 Dec 2000
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Jeff S Havrilla.

Other Information

  • CVE IDs: CVE-1999-0025
  • CERT Advisory: CA-1997-21
  • Date Public: 24 May 97
  • Date First Published: 15 Dec 2000
  • Date Last Updated: 15 Dec 2000
  • Severity Metric: 14.06
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.