SGI IRIX df buffer overflow in directory argument

2000-12-15T00:00:00
ID VU:20851
Type cert
Reporter CERT
Modified 2000-12-15T20:00:00

Description

Overview

Description

The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path.

Due to insufficient bounds checking on either directory or block device arguments which are supplied by users, it is possible to overwrite the internal stack space of the df program while it is executing. By supplying a carefully designed argument to the df program, intruders may be able to force df to execute arbitrary code. Since df is setuid root, this will allow intruders to run arbitrary code with root privileges.


Impact

This vulnerability may allow local users to gain root privileges.


Solution

Apply the patched provided by SGI.


1. Remove setuid perms, and execute perms from df.

% chmod u-swhich df``

2. Use the AUSCERT wrapper

The source for the wrapper, including installation instructions, can
be found at:

<ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c>

An extract from AA-97.19.IRIX.df.buffer.overflow.vul:

This wrapper replaces the df program and checks the length of the command line arguments which are passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the df command. The wrapper program can also be configured to syslog any failed attempts to execute df with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with df, AUSCERT recommends defining MAXARGLEN to be 32.


Vendor Information

20851

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

SGI Affected

Updated: June 22, 1998

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI __ Affected

Updated: December 15, 2000

Status

Affected

Vendor Statement

Silicon Graphics Inc. Security Advisory

Title: IRIX df Buffer Overrun Vulnerability
Title: AUSCERT Advisory AA-97.19 and CERT Advisory CA-97.21
Number: 19970505-02-PX
Date: November 18, 1997

Please see:

<ftp://sgigate.sgi.com/security/19970505-02-PX>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <ftp://sgigate.sgi.com/security/19970505-01-A>
  • <ftp://sgigate.sgi.com/security/19970505-02-PX>
  • <ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.19.IRIX.df.buffer.overflow.vul>
  • <ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c>
  • <http://xforce.iss.net/static/440.php>

Acknowledgements

This document was written by Jeff S Havrilla.

Other Information

CVE IDs: | CVE-1999-0025
---|---
CERT Advisory: | CA-1997-21
Severity Metric: | 14.06
Date Public: | 1997-05-24
Date First Published: | 2000-12-15
Date Last Updated: | 2000-12-15 20:00 UTC
Document Revision: | 7