Bill Parker
2016-01-13 17:56:39 UTC
Hello All,
In reviewing some code in file 'bsd-cray.c', I found a possible
issue where data in the following code may not be properly scrubbed
in the case IA_BACKDOOR in function 'cray_setup', which is below:
case IA_BACKDOOR:
/* XXX: can we memset it to zero here so save some of this
*/
strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
ue.ue_passwd[0] = '\0';
ue.ue_age[0] = '\0';
ue.ue_comment[0] = '\0';
ue.ue_loghost[0] = '\0';
ue.ue_logline[0] = '\0';
ue.ue_uid = -1;
ue.ue_nice[UDBRC_INTER] = 0;
where ue.ue_passwd[0] is set to NUL, there exists the potential that
any data beyond ue.ue_passwd[0] is still accessible in memory as the
following test program below demonstrates:
#include <stdio.h>
int main(void)
{
unsigned int n, l;
char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";
ue[0] = '\0'; /* set this to NULL */
printf("Contents of char ue[0] is: %s\n", ue);
printf("Contents of char ue[1-36] is:");
for (n = 1; n < 36; n++)
printf("%c", ue[n]);
printf("\n");
return 0;
}
[***@moocow ~]$ ./a.out
Contents of char ue[0] is:
Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789
As you can see, data beyond ue[0] is still accessible, should the
code not be changed to use memset() to scrub any sensitive information
still stored in various arrays in IA_BACKDOOR (and perhaps other
areas of code in bsd-cray.c, etc)?
Bill Parker (wp02855 at gmail dot com)
In reviewing some code in file 'bsd-cray.c', I found a possible
issue where data in the following code may not be properly scrubbed
in the case IA_BACKDOOR in function 'cray_setup', which is below:
case IA_BACKDOOR:
/* XXX: can we memset it to zero here so save some of this
*/
strlcpy(ue.ue_name, "root", sizeof(ue.ue_name));
strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir));
strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell));
ue.ue_passwd[0] = '\0';
ue.ue_age[0] = '\0';
ue.ue_comment[0] = '\0';
ue.ue_loghost[0] = '\0';
ue.ue_logline[0] = '\0';
ue.ue_uid = -1;
ue.ue_nice[UDBRC_INTER] = 0;
where ue.ue_passwd[0] is set to NUL, there exists the potential that
any data beyond ue.ue_passwd[0] is still accessible in memory as the
following test program below demonstrates:
#include <stdio.h>
int main(void)
{
unsigned int n, l;
char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789";
ue[0] = '\0'; /* set this to NULL */
printf("Contents of char ue[0] is: %s\n", ue);
printf("Contents of char ue[1-36] is:");
for (n = 1; n < 36; n++)
printf("%c", ue[n]);
printf("\n");
return 0;
}
[***@moocow ~]$ ./a.out
Contents of char ue[0] is:
Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789
As you can see, data beyond ue[0] is still accessible, should the
code not be changed to use memset() to scrub any sensitive information
still stored in various arrays in IA_BACKDOOR (and perhaps other
areas of code in bsd-cray.c, etc)?
Bill Parker (wp02855 at gmail dot com)