Author Topic: Stack Exploit In Busybox Rmmod?  (Read 2820 times)

imi

  • Newbie
  • *
  • Posts: 4
    • View Profile
Stack Exploit In Busybox Rmmod?
« on: July 29, 2005, 08:45:12 pm »
Hi,

while I am waiting for my OpenEmbedded to finish compiling, I just looked over some patches in the packages directory:

From packages/busybox/busybox-1.00/rmmod.patch

@@ -109,7 +120,10 @@
                for (n = optind; n < argc; n++) {
 #ifdef CONFIG_FEATURE_2_6_MODULES
                        char module_name[strlen(argv[n]) + 1];
-                       filename2modname(module_name, argv[n]);
+                       if (k_version != 4)
+                               filename2modname(module_name, argv[n]);
+                       else
+                               strcpy(module_name, argv[n]);
 #else
 #define module_name            argv[n]
 #endif


I am not sure whether the char declaration itself is exploitable using very large command line arguments, but with the strcpy it get worse since now you can inject code if the line argument exceeds the stack size. If busybox run suid... (well, this only gets interesting if the root-password isn't just empty ;-)


Ciao, Imi.