lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID:  <gemini.kihx4502xzl40031t.taviso@sdf.lonestar.org>
Date:  Wed, 22 Apr 2009 11:31:25 +0200
From: Tavis Ormandy <taviso@....lonestar.org>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject:  Re: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities

Bkis <svrt@...v.com.vn> wrote:
> Bkis has just found many vulnerabilities in the software, related to the
> processing of 010 Editor Binary Template files (“.bt”) and 010 Editor
> Script Files (“.1sc”). These vulnerabilities are very dangerous due to the
> fact that they allow hackers to execute malicious code on users’ systems.
> 

I think you're confused, these scripts can execute programs, create and
modify files, modify running processes, and so on. Perhaps you're confusing
the concept of "modelines" with editor automation (modelines are hints to
the editor how to display a file, and are untrusted, where as automating an
editor requires the ability to modify files, create filters and so on to be
useful).

The documentation is online here:

http://www.sweetscape.com/010editor/manual/FuncInterface.htm
http://www.sweetscape.com/010editor/manual/EditingProcesses.htm

Start here:

int Exec( const char program[], const char arguments[] ) 

Executes an external application using the given program and arguments.

> Rating this vulnerability high severity, Bkis recommends that users 
> should update their software to the latest version.

This is like saying "A vulnerability has been fixed parsing perl scripts,
upgrade and it's safe to run hostile.pl again", It's obviously not the case.
While what you describe is clearly a bug, it's hard to see any security
impact - users couldnt previously safely execute untrusted scripts, and
after upgrading they still can't.

You may want to read up on modelines, Guninski famously broke vim modelines
in interesting ways several times.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ