Bug#520254: unhide leaks handles, overwrites its stack, and so forth
Walter Doekes
walter+debian at wjd.nu
Sun Nov 1 22:59:04 UTC 2009
Package: unhide
Version: 20080519-2
Followup-For: Bug #520254
Using unhide with option brute causes segfaults due to various flaws in the source.
See this patch:
--- ../unhide-20080519.orig/unhide-linux26.c 2009-11-01 22:05:39.000000000 +0100
+++ ./unhide-linux26.c 2009-11-01 23:46:25.000000000 +0100
@@ -1,5 +1,5 @@
/* Unhide yjesus at security-projects.com */
-
+#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
@@ -12,6 +12,7 @@
#include <signal.h>
#include <stdlib.h>
#include <sys/sysinfo.h>
+#include <sys/wait.h>
#define COMMAND "nice -20 ps axHo sess,pid | awk '{ print $2 }' | grep -v PID"
@@ -40,7 +41,7 @@
count = 0;
- if ( errno == 0) {
+ if (dirp != NULL) {
while ((ptr = readdir(dirp)) != NULL) {
@@ -48,9 +49,9 @@
count++;
}
- if ( count > 3 ) { return(1) ;}
+ if ( count > 3 ) { closedir(dirp); return(1) ;}
- else {return(0);}
+ else {closedir(dirp); return(0);}
}
@@ -75,6 +76,10 @@
FILE *fich_tmp ;
fich_tmp=popen (COMMAND, "r") ;
+ if (fich_tmp == NULL) {
+ printf("popen failed while checking pid %d (memory, or something set by errno: %s)\n", tmppid, strerror(errno));
+ return;
+ }
while (!feof(fich_tmp) && ok == 0) {
@@ -95,6 +100,10 @@
FILE *fich_session ;
fich_session=popen (SESSION, "r") ;
+ if (fich_session == NULL) {
+ printf("popen failed while session checking pid %d (memory, or something set by errno: %s)\n", tmppid, strerror(errno));
+ return;
+ }
while (!feof(fich_session) && ok == 0) {
@@ -114,6 +123,10 @@
FILE *fich_pgid ;
fich_pgid=popen (PGID, "r") ;
+ if (fich_pgid == NULL) {
+ printf("popen failed while pgid checking pid %d (memory, or something set by errno: %s)\n", tmppid, strerror(errno));
+ return;
+ }
while (!feof(fich_pgid) && ok == 0) {
@@ -159,6 +172,7 @@
cmdfile=fopen (cmd, "r") ;
+ if (cmdfile != NULL) {
while (!feof (cmdfile)) {
@@ -166,6 +180,8 @@
printf ("Command: %s\n\n", cmdcont);
}
+ fclose(cmdfile);
+ }
}
}
}
@@ -277,7 +293,7 @@
void checksched_getaffinity() {
int syspids;
- unsigned long mask;
+ cpu_set_t mask;
printf ("[*]Searching for Hidden processes through sched_getaffinity() scanning\n\n") ;
@@ -288,7 +304,7 @@
errno= 0 ;
- ret = sched_getaffinity(syspids, sizeof(unsigned int), &mask);
+ ret = sched_getaffinity(syspids, sizeof(mask), &mask);
if ( errno == 0) {
@@ -380,11 +396,16 @@
printf ("[*]Searching for Hidden processes through sysinfo() scanning\n\n") ;
fich_proceso=popen (COMMAND, "r") ;
+ if (fich_proceso == NULL) {
+ printf("popen failed while checking sysinfo (memory, or something set by errno: %s)\n", strerror(errno));
+ return;
+ }
+ buffer[499] = '\0';
while (!feof(fich_proceso)) {
- fscanf( fich_proceso, "%s", &buffer );
+ fscanf( fich_proceso, "%499s", &buffer[0] );
contador++;
}
@@ -407,7 +428,6 @@
void brute() {
int i=0;
- int vpid;
int allpids[maxpid] ;
int x;
int y;
@@ -416,7 +436,7 @@
printf ("[*]Starting scanning using brute force against PIDS\n\n") ;
- for(x=0; x < 299; x++) {
+ for(x=0; x < 300; x++) {
allpids[x] = '\0' ;
}
@@ -429,22 +449,24 @@
for (i=0; i < maxpid; i++) {
+ int vpid;
+ int status;
errno= 0 ;
- if (vfork() == 0) {
-
- vpid = getpid();
+ if ((vpid = vfork()) == 0) {
- allpids[vpid] = '\0';
+ allpids[getpid()] = '\0';
- exit(1);
+ _exit(1);
}
- waitpid(vpid);
+ waitpid(vpid, &status, 0);
}
+ /* processes that quit at this point in time create false positives */
+
for(y=0; y < maxpid; y++) {
if (allpids[y] != '\0') {
@@ -497,5 +519,5 @@
}
-
+ return 0;
}
Regards,
Walter Doekes
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
unhide depends on no packages.
unhide recommends no packages.
Versions of packages unhide suggests:
pn rkhunter <none> (no description available)
-- no debconf information
More information about the forensics-devel
mailing list