ambind does not check user-provided fd value given on its command-line. This fd is then used in calls to FD_SET() and then select().
from man(3) fd_set:
An fd_set is a fixed size buffer. Executing FD_CLR() or FD_SET() with a value of fd that is negative or is equal to or larger than FD_SETSIZE will result in undefined
behavior. Moreover, POSIX requires fd to be a valid file descriptor.
For example, it can be triggered with an int overflow:
Current patch fix this behaviour by checking for fd being in range ]0;FD_SETSIZE[. Note that FD_SETSIZE is often 1024 but it is not guaranteed.
I am unsure of the security implications of the misuse. ambind is currently SUID root on my debian. However I do not have a clear picture of how that binary is typically used and how often. It is possible that it can lead to denial of service (DoS) if an attacker can provide the port to bind to but I doubt exploitation could go further. I am interested in getting your feedback on that.
ambind does not check user-provided fd value given on its command-line. This fd is then used in calls to
FD_SET()and thenselect().from
man(3) fd_set:For example, it can be triggered with an int overflow:
ltrace stack:
Current patch fix this behaviour by checking for fd being in range
]0;FD_SETSIZE[. Note thatFD_SETSIZEis often 1024 but it is not guaranteed.I am unsure of the security implications of the misuse. ambind is currently SUID root on my debian. However I do not have a clear picture of how that binary is typically used and how often. It is possible that it can lead to denial of service (DoS) if an attacker can provide the port to bind to but I doubt exploitation could go further. I am interested in getting your feedback on that.
Similar issue in other projects:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-fd-set-overflow.html https://www.cvedetails.com/cve/CVE-2011-0719/