Date: Sun, 19 Mar 2000 15:08:08 -0600
From: H D Moore <[email protected]>
To: [email protected]Subject: Still More Overflows
Hi,
Way back in August of 1998 I posted a message to this list about a
handful of buffer overflows in various utilities that shipped with SuSE
Linux 6.2. It seems that after a year and half a few of these bugs
STILL exist. None of these utilities are harmful by themselves, just
they may open a security hole when called by a priviledged program (see
compress below). The original message can be found here:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-29&msg=35EE534C.B0031C53@usa.net
------------
compress:
compress version 2.4.2 (compiled August 98 under RedHat 6.1 / July 99
SuSE 6.2)
buffer overflow in file name.
NOT setu/gid or anything, but this is the SAME compress used by the
ftpd in both RedHat 6.1 AND SuSE 6.2
in other words: write a file whose path is longer than the buffer
limit, then request thatfile.Z
and you have stack space in a root process.
someone want to whip up a quick exploit?
(note: FTP daemon may restrict path lengths, any other ideas for
exploiting this?)
example: (on SuSE 6.2)
loki:/tmp $ compress -V
Compress version: (N)compress 4.2.4, compiled: Thu Jul 22 23:01:15 GMT
1999
Compile options:
USE_BYTEORDER, FAST, DIRENT, LSTAT,
REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16
Author version 4.2 (Speed improvement & source cleanup):
Peter Jannesen ([email protected])
Author version 4.1 (Added recursive directory compress):
Dave Mack ([email protected])
Authors version 4.0 (World release in 1985):
Spencer W. Thomas, Jim McKie, Steve Davies,
Ken Turkowski, James A. Woods, Joe Orost
loki:/tmp $ compress `perl -e 'print "A" x 1023'`
AAA...AAA: File name too long
loki:/tmp $ compress `perl -e 'print "A" x 1024'`
AAA...AAA: File name too long
Segmentation Fault
loki:/tmp $ compress `perl -e 'print "A" x 1173'`
Segmentation Fault
------------
elvis:
elvis version 2.1_4 (compiled with default settings from source by
myself)
file path overflow is fixed in this version (vs 2.0 in original post)
but
there is a new overflow in the LC_ALL, LC_MESSAGES, LANG environment
variables
line 663: main.c
char lcfile[100]; /* combination of locale name and file name */
line 703: main.c
/* Load the verbose messages, plus a few others */
if (((lc = getenv("LC_ALL")) != NULL && *lc)
|| ((lc = getenv("LC_MESSAGES")) != NULL && *lc)
|| ((lc = getenv("LANG")) != NULL && *lc))
{
/* Try to find "elvis.msg" in a locale-dependent subdirectory.
* If you can't find it there, then look for the standard one.
*/
strcpy(lcfile, dirpath(lc, MSG_FILE));
buf = bufpath(o_elvispath, lcfile, toCHAR(MSG_BUF));
if (!buf || o_bufchars(buf) == 0)
{
(void)bufpath(o_elvispath, MSG_FILE, toCHAR(MSG_BUF));
}
}
standard buffer overrun at 100 bytes...
there are also issues with the bufpath() and buffind() functions
------------
lha:
lha version 1.2 (never was updated)
segfaults start at 19107 characters on SuSE 6.2 AND RedHat 6.1
------------
-HD
http://www.secureaustin.com
