Home page logo

bugtraq logo Bugtraq mailing list archives

GNU/Linux 'info Buffer Overflow
From: Josh Martin <skizzles () gmail com>
Date: 6 Aug 2004 00:46:21 -0000

Package: info
Version: 4.7-2.1
Severity: grave
Tags: security
Justification: user security hole

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7

Versions of packages info depends on:
ii  libc6                       2.3.2.ds1-15 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand

-- no debconf information

I have tested several versions (Debian stable, unstable and testing) and
have found that this bug exists in all versions tested. I have included
a small --restore script that can be used to leverage a simple Seg fault.
This buffer overflow is very trivial to leverage as there are several
bytes available (10-15+).  It may be possible that arbitary system calls
could be made though this hole. It is also possible to leverage this
from the command line using the --restore=FILENAME flag, and need not
have the program running.  Although it is not running as suid, or as a
daemon, in a case where info is being used as a public service, it may
be a security problem. This bug seems only to be accessable where the
file has xrefs available.

        $ info info
        [info screen comes up]
        press 'g'
        [Goto Node:]
        type 'Expert Info' <enter>

        (OR any other way to get to a page with xrefs)

        press 'f'
        Type in 225 or more bytes and press enter.
        SEG FAULT!

Example File:
        The following can be saved to a file and called as:  
        info info  --restore=info.bug to create a segmentation fault.

        [START info.bug]
        gExpert Info

        [END info.bug]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]