Note:
tailf vulnerability was reported to RedHat Product Security Team and based on following points we mutually agree that this issue creates extremely low, almost no security impact.
Default util-linux package shipped with CentOS is vulnerable, but tailf is deprecated and removed in latest util-linux package. So just package upgrade is needed.
Tailf is not "setuid", so no gain of additional privileges.
Due to nature of exploitation, it is highly unlikely to trick another user to exploit this issue.
If you could think of any another way to exploit this vulnerability, please let me know.This report might be useful for practicing secure code analysis, so I decided to post this blog for interested readers.
Details
tailf application allows user to specify number of lines displayed on output. Due to improper integer
boundary checking on user controlled “lines” value, during memory allocation routines an attacker can trigger memory corruption.
Data flow
User controlled -n option is handled by old_style_options() and returns “long” value of lines parameter.
Returned “long” lines value is then passed to tailf() function
Notice that “long” lines value is casted to “integer” value. This leads to value truncation, but lets skip this for our analysis.
The interesting code path is at line 63 in tailf() function.
Here, application calculate required allocated memory size using user controlled data. So this is a vulnerable code path.We can trick application to allocate less memory than expected size which could lead to memory corruption.
xmalloc() function accepts input size as size_t which is unsigned integer. So for memory corruption we need to consider boundary condition for unsigned integer.
UINT_MAX value is 4294967295. If provided value is larger than UINT_MAX, it wraps around 0.
For trigger, we need value of lines = 4294967295 / BUFSIZE (8192) = 524287 + 1 = 524288
fgets() reads BUFSIZ from str stream and copy into p (i.e. memory returned by malloc(0)) results into memory corruption.
Program received signal SIGSEGV, Segmentation fault.