Home page logo

bugtraq logo Bugtraq mailing list archives

Still More Overflows
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Sun, 19 Mar 2000 15:08:08 -0600


Way back in August of 1998 I posted a message to this list about a
handful of buffer overflows in various utilities that shipped with SuSE
Linux 6.2.  It seems that after a year and half a few of these bugs
STILL exist.  None of these utilities are harmful by themselves, just
they may open a security hole when called by a priviledged program (see
compress below).  The original message can be found here:

35EE534C.B0031C53 () usa 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-29&msg=35EE534C.B0031C53 () usa net</A>



        compress version 2.4.2 (compiled August 98 under RedHat 6.1 / July 99
SuSE 6.2)
        buffer overflow in file name.
        NOT setu/gid or anything, but this is the SAME compress used by the
ftpd in both RedHat 6.1 AND SuSE 6.2
        in other words:  write a file whose path is longer than the buffer
limit, then request thatfile.Z
        and you have stack space in a root process.
        someone want to whip up a quick exploit?

        (note:  FTP daemon may restrict path lengths, any other ideas for
exploiting this?)

        example: (on SuSE 6.2)

loki:/tmp $ compress -V
Compress version: (N)compress 4.2.4, compiled: Thu Jul 22 23:01:15 GMT
Compile options:
        REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16

Author version 4.2 (Speed improvement & source cleanup):
     Peter Jannesen  (peter () ncs nl)

Author version 4.1 (Added recursive directory compress):
     Dave Mack  (csu () alembic acs com)

Authors version 4.0 (World release in 1985):
     Spencer W. Thomas, Jim McKie, Steve Davies,
     Ken Turkowski, James A. Woods, Joe Orost

loki:/tmp $ compress `perl -e 'print "A" x 1023'`
AAA...AAA: File name too long

loki:/tmp $ compress `perl -e 'print "A" x 1024'`
AAA...AAA: File name too long
Segmentation Fault

loki:/tmp $ compress `perl -e 'print "A" x 1173'`
Segmentation Fault



        elvis version 2.1_4 (compiled with default settings from source by
        file path overflow is fixed in this version (vs 2.0 in original post)
        there is a new overflow in the LC_ALL, LC_MESSAGES, LANG environment

        line 663: main.c

        char    lcfile[100];    /* combination of locale name and file name */

        line 703: main.c

        /* Load the verbose messages, plus a few others */
        if (((lc = getenv("LC_ALL")) != NULL && *lc)
         || ((lc = getenv("LC_MESSAGES")) != NULL && *lc)
         || ((lc = getenv("LANG")) != NULL && *lc))
                /* Try to find "elvis.msg" in a locale-dependent subdirectory.
                 * If you can't find it there, then look for the standard one.
                strcpy(lcfile, dirpath(lc, MSG_FILE));
                buf = bufpath(o_elvispath, lcfile, toCHAR(MSG_BUF));
                if (!buf || o_bufchars(buf) == 0)
                        (void)bufpath(o_elvispath, MSG_FILE, toCHAR(MSG_BUF));

        standard buffer overrun at 100 bytes...
        there are also issues with the bufpath() and buffind() functions



        lha version 1.2 (never was updated)
        segfaults start at 19107 characters on SuSE 6.2 AND RedHat 6.1




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]