Still More Overflows

[hdm () SECUREAUSTIN COM (H D Moore)]

Hi,

Way back in August of 1998 I posted a message to this list about a
handful of buffer overflows in various utilities that shipped with SuSE
Linux 6.2.  It seems that after a year and half a few of these bugs
STILL exist.  None of these utilities are harmful by themselves, just
they may open a security hole when called by a priviledged program (see
compress below).  The original message can be found here:

35EE534C.B0031C53 () usa 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-29&msg=35EE534C.B0031C53 () usa net</A>

------------

compress:

        compress version 2.4.2 (compiled August 98 under RedHat 6.1 / July 99
SuSE 6.2)
        buffer overflow in file name.
        NOT setu/gid or anything, but this is the SAME compress used by the
ftpd in both RedHat 6.1 AND SuSE 6.2
        in other words:  write a file whose path is longer than the buffer
limit, then request thatfile.Z
        and you have stack space in a root process.
        someone want to whip up a quick exploit?

        (note:  FTP daemon may restrict path lengths, any other ideas for
exploiting this?)

        example: (on SuSE 6.2)

loki:/tmp $ compress -V
Compress version: (N)compress 4.2.4, compiled: Thu Jul 22 23:01:15 GMT
1999
Compile options:
        USE_BYTEORDER, FAST, DIRENT, LSTAT,
        REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16

Author version 4.2 (Speed improvement & source cleanup):
     Peter Jannesen  (peter () ncs nl)

Author version 4.1 (Added recursive directory compress):
     Dave Mack  (csu () alembic acs com)

Authors version 4.0 (World release in 1985):
     Spencer W. Thomas, Jim McKie, Steve Davies,
     Ken Turkowski, James A. Woods, Joe Orost

loki:/tmp $ compress `perl -e 'print "A" x 1023'`
AAA...AAA: File name too long

loki:/tmp $ compress `perl -e 'print "A" x 1024'`
AAA...AAA: File name too long
Segmentation Fault

loki:/tmp $ compress `perl -e 'print "A" x 1173'`
Segmentation Fault

------------

elvis:

        elvis version 2.1_4 (compiled with default settings from source by
myself)
        file path overflow is fixed in this version (vs 2.0 in original post)
but
        there is a new overflow in the LC_ALL, LC_MESSAGES, LANG environment
variables

        
        line 663: main.c

        char    lcfile[100];    /* combination of locale name and file name */

        line 703: main.c

        /* Load the verbose messages, plus a few others */
        if (((lc = getenv("LC_ALL")) != NULL && *lc)
         || ((lc = getenv("LC_MESSAGES")) != NULL && *lc)
         || ((lc = getenv("LANG")) != NULL && *lc))
        {
                /* Try to find "elvis.msg" in a locale-dependent subdirectory.
                 * If you can't find it there, then look for the standard one.
                 */
                strcpy(lcfile, dirpath(lc, MSG_FILE));
                buf = bufpath(o_elvispath, lcfile, toCHAR(MSG_BUF));
                if (!buf || o_bufchars(buf) == 0)
                {
                        (void)bufpath(o_elvispath, MSG_FILE, toCHAR(MSG_BUF));
                }
        }

        standard buffer overrun at 100 bytes...
        there are also issues with the bufpath() and buffind() functions

------------

lha:

        lha version 1.2 (never was updated)
        segfaults start at 19107 characters on SuSE 6.2 AND RedHat 6.1

------------

-HD

http://www.secureaustin.com