GNU-make filename buffer overflow

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

GNU-make filename buffer overflow

Core Security Advisories Team (CS)

Alfredo Ortega from Core Security Technologies has found that GNU Make
is vulnerable to a stack buffer overflow.

We would like to receive information about your plans for fixing this
bug. Technical details follow.

Affected software: GNU Make-3.81 and before.

The security impact of this bug is very low, because Makefiles already
contain the functionality to execute arbitrary code.

The bug resides in the following code at implicit.c:

  199    static int
  200    pattern_search (struct file *file, int archive,
  201                unsigned int depth, unsigned int recursions)
  202    {
  203    /* Filename we are searching for a rule for.  */
  204    char *filename = archive ? strchr (file->name, '(') : file->name;


  271   PATH_VAR (stem_str); /* @@ Need to get rid of stem, stemlen,
  etc. */


  470          if (check_lastslash)
  471            {
  472              stem += lastslash - filename + 1;
  473              stemlen -= (lastslash - filename) + 1;
  474            }
  476          DBS (DB_IMPLICIT, (_("Trying pattern rule with stem
  477                                 (int) stemlen, stem));
  479              strncpy (stem_str, stem, stemlen);
  480              stem_str[stemlen] = '\0';

  Here, in line 271 the program is allocating a fixed-length variable on
  the stack (using the macro PATH_VAR), but in line 479 the filename is
  being copied to this buffer without any length-checking.

  An easy way to trigger the bug is via command-line arguments.
  For example:

      $ make AAAAAA... (10000 A's)

  Also, the bug can be triggered from inside Makefiles.
  The following Proof of Concept triggers a Int3 on a FreeBSD-6.2-RELEASE
  system. Other software may be vulnerable.

  #Alfredo A. Ortega - Core Security Exploit Writers Team (EWT)
  #GNU Make stack overflow
  #This Python script generates a Makefile that trigger the overflow
  #and executes a int3 instruction (SIGTRAP)
  #Tested on FreeBSD-6.2-RELEASE
  #usage: python >Makefile;gmake

  import os
  #ShellCode placeholder
  print "all: %s" % overflow

Thanks in advance,

Carlos Sarraute
Advisories Team
Core Security Technologies

Bug-make mailing list
[hidden email]