GNU GNATS pr-edit.c lock_gnats() Overflow

2003-06-21T09:12:36
ID OSVDB:2190
Type osvdb
Reporter dong-houn yoU(xploit@hackermail.com)
Modified 2003-06-21T09:12:36

Description

Vulnerability Description

GNU GNATS contains a flaw that may allow a local attacker to gain root privileges. The issue is due to a flaw in the pr-edit.c file in which the lock_gnats() function is not properly checked for input. If a local attacker provides a specially crafted request, they may be able to overflow the buffer and execute arbitrary code with root privileges.

Technical Description

A pr-edit heap based overflow exists in the '-d' option of the /gnats-3.2/gnats/internal.c code.

The line of code with the overflow is: sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root)

Overflows occur in many uses of the sprintf function in the GNATS code.

Solution Description

Currently there is no official fix for these flaws. There is an unofficial patch available at http://www.securiteam.com/unixfocus/5CP0N0UAAA.html

Short Description

GNU GNATS contains a flaw that may allow a local attacker to gain root privileges. The issue is due to a flaw in the pr-edit.c file in which the lock_gnats() function is not properly checked for input. If a local attacker provides a specially crafted request, they may be able to overflow the buffer and execute arbitrary code with root privileges.

References:

Secunia Advisory ID:9096 Related OSVDB ID: 4600 Related OSVDB ID: 4601 Related OSVDB ID: 4607 Other Advisory URL: http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2003-0x82-018-GNATS-bt.txt ISS X-Force ID: 12393 Generic Informational URL: http://www.gnu.org/software/gnats/ Generic Informational URL: http://www.securiteam.com/unixfocus/5CP0N0UAAA.html Generic Exploit URL: http://www.securiteam.com/exploits/5DP0O0UAAI.html Bugtraq ID: 8003