2fax prior to v2.02 for Linux and Windows contains a locally exploitable buffer overflow.
14214e7f949c470b58c600c51e76ebc4d256a68496c77854fa8efd95dc259861
+-[ Limpid Byte Advisory #003]---------------------------------+
| |
| Program: 2fax |
| Version: all ( <=2.02 ) |
| OS: Linux/Windows |
| Bug: Buffer Overflow in -bpcx option |
| Homepage: http://www.atbas.org |
| |
| Discovered by Crazy Einstein [crazy_einstein@yahoo.com] |
| |
+--------------------------------------------------------------+
+Intro+--------------------------------------------------------+
2fax (by Hans Harder): 2fax is a commandline program which
converts ASCII files into fax (tiff) formatted files. It
works with Hylafax (Linux) and bgfax (DOS/Windows). It also
uses PCX files for logos and signatures, which can be overlayed
over the ASCII text.
+Bug+----------------------------------------------------------+
When you execute 2fax program with -bpcx option puting in this
option many symbols ( >212 ) program will make SEGFAULT:
[root@ns 2fax-2.02]# ./2fax -bpcx:`perl -e 'print "A"x666'` aaa aaa
Segmentation fault (core dumped)
[root@ns 2fax-2.02]# gdb 2fax core
...
#0 0x41414141 in ?? ()
(gdb)
...
So, we can execute arbitrary code with uid/gid of author of this
program if this program have suid bits
+Solution+-----------------------------------------------------+
(1) Clear suid bit from program:
[root@ns 2fax-2.02]# chmod ug-s /path/to/2fax
(2) Edit source of 2fax program:
...
char page_pcxfn[81]=""; /* page pcx file */
...
word setswitches(char *sw, word cmdline, word def)
{
...
case 17 :
if(&sw[l]<=81) { // make this check on length
strcpy(page_pcxfn,&sw[l]);
if (cmdline==0) page_pcxno=Openpcx(1,page_pcxfn); /*1.91*/
}
else printf("Error: Length of pcx file is too big (max 81)\n");
break;
...