TUCoPS :: Unix :: General
:: checkp-1.htm
Checkps 1.2 and earlier can be made to segfault with a buffer overrun
Vulnerability
checkps
Affected
checkps 1.2 and earlier
Description
Duncan Simpson found following. Crackers with root can cause
checkps to segfaultt. (This could be used to probe for the
program). He restarted checkps devlopement and noticed that
checkps, his root kit ps detector for linux (and others with
/proc, albeit with less functionality), has a "feature" that
scriblles beyond the end of a buffer in log_emailc if more then
10Kb is sent to log() between calls to log_flush().
This buffer can not be exploited to run arbitary code becuase all
you can scrible are messages along he files of "Fake pid <number>
detetced". "Hidden pid <number>" and "{Pid <number>: fd <number>
is <...>" for various all plain text and number values of <...>.
Even if you could put shell code in the buffer is allocated on the
heap amd contains no pointers to anything.
Solution
Latest version from CVS. The next version will include the fix
and linux netstat support.