-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 01100011 - code 'security research team' - ---------------------------------------- - - http://www.c-code.net - - Advisory and PoC exploit by: demz // demz@c-code.net - - Vulnerable source: Polymorph v0.4.0 - - Bug type: Stackoverflow - - Priority: 3 - ---------------------------------------- [01] Description [02] Vulnerable [03] Proof of concept [04] Vendor response [01] Description Polymorph is a filesystem "unixier" (a Win32 -> Unix filename convertor) When downloading images from Usenet alot of filenames are mangled by MS Outlook and other, less caring, newsagents. There could be files with strange names like C:\\PIX\\HUBBLE\\Eagle\ Nebula\ 0532.JPG and this, of course, is unacceptable. Polymorph looks in the current working directory and finds strange filenames like this. It then renames the file after converting all the characters to lowercase and trimming the cruft from the original. The previous example turned out to have the name eagle_nebula_0532.jpg which is much more useful. Polymorph contains an unchecked buffer in the "-f file" option, this can be exploited very simple. [02] Vulnerable Vulnerable and exploitable version, tested on Redhat 8.0: - Polymorph 0.4.0 Maybe also prior versions are vulnerable. Source can be found at: http://chromebob.com/proj/polymorph.html [03] Proof of concept [demz@lab polymorph-0.4.0]$ ./c-polymorph Polymorph 0.4.0 local exploit ---------------------------------------- demz @ c-code.net -- polymorph had trouble converting 𐝣1砂F蛝1繮hn/shh//bi夈PS夅櫚 蛝1腊蛺悙悙% to 1򤋱砂f蛝1纏hn/shh//bi夈ps夅櫚 蛝1腊 悙悙 痼... the file is now possibly corrupt sh-2.05b$ A proof of concept exploit can be found at: http://www.c-code.net/Releases/Exploits/c-polymorph.c [04] Vendor response The vendor is informed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+zTzZ8ToiGqnwMzARAphBAJ9L+MOY5R5arOeb1slTXeNgYAgwsgCcD8od IwAUN0zzl8ZhkfZN5judNNY= =oc09 -----END PGP SIGNATURE-----