Vulnerability Note VU#20851

The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path.

Due to insufficient bounds checking on either directory or block device arguments which are supplied by users, it is possible to overwrite the internal stack space of the df program while it is executing. By supplying a carefully designed argument to the df program, intruders may be able to force df to execute arbitrary code. Since df is setuid root, this will allow intruders to run arbitrary code with root privileges.

This vulnerability may allow local users to gain root privileges.

Apply the patched provided by SGI.

1. Remove setuid perms, and execute perms from df.

% chmod u-s `which df`

2. Use the AUSCERT wrapper

The source for the wrapper, including installation instructions, can
be found at:

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c


An extract from AA-97.19.IRIX.df.buffer.overflow.vul:

This wrapper replaces the df program and checks the length of the command line arguments which are passed to it.  If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the df command.  The wrapper program can also be configured to syslog any failed attempts to execute df with arguments exceeding MAXARGLEN.  For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with df, AUSCERT recommends defining MAXARGLEN to be 32.