
Alfredo Ortega from Core Security Technologies has found that GNU Make is vulnerable to a stack buffer overflow.

We would like to receive information about your plans for fixing this bug. Technical details follow.

Affected software: GNU Make-3.81 and before.

The security impact of this bug is very low, because Makefiles already
contain the functionality to execute arbitrary code.

The bug resides in the following code at implicit.c:

 199    static int
 200    pattern_search (struct file *file, int archive,
 201                unsigned int depth, unsigned int recursions)
 202    {
 203    /* Filename we are searching for a rule for.  */
 204    char *filename = archive ? strchr (file->name, '(') : file->name;


 271   PATH_VAR (stem_str); /* @@ Need to get rid of stem, stemlen,
 etc. */


 470          if (check_lastslash)
 471            {
 472              stem += lastslash - filename + 1;
 473              stemlen -= (lastslash - filename) + 1;
 474            }
 476          DBS (DB_IMPLICIT, (_("Trying pattern rule with stem
 477                                 (int) stemlen, stem));
 479              strncpy (stem_str, stem, stemlen);
 480              stem_str[stemlen] = '\0';

 Here, in line 271 the program is allocating a fixed-length variable on
 the stack (using the macro PATH_VAR), but in line 479 the filename is
 being copied to this buffer without any length-checking.

 An easy way to trigger the bug is via command-line arguments.
 For example:

     $ make AAAAAA... (10000 A's)

 Also, the bug can be triggered from inside Makefiles.
 The following Proof of Concept triggers a Int3 on a FreeBSD-6.2-RELEASE
 system. Other software may be vulnerable.

 #Alfredo A. Ortega - Core Security Exploit Writers Team (EWT)
 #GNU Make stack overflow
 #This Python script generates a Makefile that trigger the overflow
 #and executes a int3 instruction (SIGTRAP)
 #Tested on FreeBSD-6.2-RELEASE
 #usage: python makeexploit.py >Makefile;gmake

 import os
 #ShellCode placeholder
 print "all: %s" % overflow

Thanks in advance,

Carlos Sarraute
Advisories Team
Core Security Technologies

Bug-make mailing list

Reply via email to