lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: unace-1.2b multiple buffer overflows and
	directory traversal bugs

I have found multiple security vulnerabilities in unace-1.2b. (It is
the last free version. The later versions are just binaries for the
x86 processor, which is unhelpful if you want to use free software or
if your computer has a non-x86 processor.)

There are two buffer overflows when extracting, testing or listing
specially prepared ACE archives. They are caused by wrong usage of
strncpy() with the third parameter coming from the archive. In both
cases, the attacker controls the EIP register.

There are also two buffer overflows when (a) dealing with long (>15600
characters) command line arguments for archive names, and (b) when
preparing a string for printing Ready for next volume messages.

Furthermore, there are directory traversal bugs when extracting ACE
archives. They are both of the absolute ("/etc/nologin") and the relative
("../../../../../../../etc/nologin") type.

All buffer overflows have the identifier CAN-2005-0160, and the directory
traversal bugs have the identifier CAN-2005-0161.

I have attached a ZIP archive containing some test archives and a patch.
I wrote a small Perl script to create the test archives, after having
read ACE.txt. I didn't have the time to create archives that work on
unace-2.x, so I haven't really tested whether later versions of unace
are vulnerable to any of these bugs.

The vendor and the distributors have been contacted, and the 22nd of
February was agreed upon as the release date.

// Ulf H?rnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/
    Run this to get my new e-mail address:
   lynx -source http://slashdot.org/ | head -n1 | sed -e 's%".*$%%' \
   -e 'y%TC!%aa#%' -e 's%UB%te%g' -e 'y%<ODP%#emr%' -e 's%E H.*r% %' \
   -e 's%#%%g' -e 's%$%com%' -e 's%aa*%ta%' -e 'y%IYL%iul%'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: unace.advisory-data.zip
Type: application/zip
Size: 2660 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050222/f4d51550/unace.advisory-data.zip

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ