Description:



            The utility top, included with the procps package in

Slackware Linux, contains multiple buffer

            overruns.  Although the top utility is not sXid by default,

it is still a problem.  Through security comes

            stability, and by creating secure applications, you will in

turn, create stable applications.  The overflows

            occur in two different places.  When a call to strcpy() is

made, it copies the environmental variable

            HOME into the buffer rcfile[1024] without bounds checking.





Reproduction:



            Included with this post is proof of concept code (topoff.c)

for Slackware Linux 7.0.0 and 7.1.0.   Simply

            remove the comment in front of '#define RET' for the version

of Slackware which you are testing and

            compile.  When run, the result will be a execve()'ed

/bin/sh.  You can also verify that your version of top

            is vulnerable by setting the environment HOME to a string

greater then 1023 bytes.





Solution:



            A patch for the most current version of procps

(procps-2.0.6) is attached to this post.   Obtain

            procps-2.0.6 from any Slackware distribution site under the

source/a/procps/ directory.  Unpack

            procps-2.0.6.tar.gz and apply the included patch

(procps-2.0.6.patch).





Credits:



            I'd like to actually say thank you to my boss for not

getting on my case when I stray from my work to

            play with things such as this.





Notes:

            For reference, you can see all previous posts at

http://www.skunkware.org/security/advisories/





- Ben



************************

* Ben Lull                                *

* Valley Local Internet, Inc *

* Systems Administrator     *

************************