[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Stack Overflow Vulnerability in procps's top

Title: Stack Overflow Vulnerability in procps's top
Released by: Ben Lull
Date: 17th August 2000
Printable version: Click here

            The utility top, included with the procps package in

Slackware Linux, contains multiple buffer

            overruns.  Although the top utility is not sXid by default,

it is still a problem.  Through security comes

            stability, and by creating secure applications, you will in

turn, create stable applications.  The overflows

            occur in two different places.  When a call to strcpy() is

made, it copies the environmental variable

            HOME into the buffer rcfile[1024] without bounds checking.


            Included with this post is proof of concept code (topoff.c)

for Slackware Linux 7.0.0 and 7.1.0.   Simply

            remove the comment in front of '#define RET' for the version

of Slackware which you are testing and

            compile.  When run, the result will be a execve()'ed

/bin/sh.  You can also verify that your version of top

            is vulnerable by setting the environment HOME to a string

greater then 1023 bytes.


            A patch for the most current version of procps

(procps-2.0.6) is attached to this post.   Obtain

            procps-2.0.6 from any Slackware distribution site under the

source/a/procps/ directory.  Unpack

            procps-2.0.6.tar.gz and apply the included patch



            I'd like to actually say thank you to my boss for not

getting on my case when I stray from my work to

            play with things such as this.


            For reference, you can see all previous posts at


- Ben


* Ben Lull                                *

* Valley Local Internet, Inc *

* Systems Administrator     *


(C) 1999-2000 All rights reserved.