exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

aspellOverflow.txt

aspellOverflow.txt
Posted Jun 10, 2004
Authored by Shaun Colley aka shaun2k2 | Site nettwerked.co.uk

Aspell is susceptible to a stack overflow when it makes use of a wordlist file that has an entry exceeding 256 bytes.

tags | advisory, overflow
SHA-256 | 7b148643f8b27cc0b5251d418834bd40e6879c6455093a920ae35722acfa711d

aspellOverflow.txt

Change Mirror Download
_________________________________________________________

Product: word-list-compress / part of aspell
package
Versions: All
Bug: Stack overflow
Impact: Run arbitrary code with privs of target
user
Risk: Low
Date: June 8, 2004
Author: shaun2k2
http://www.nettwerked.co.uk
_________________________________________________________



Introduction
#############

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU. Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.


Details
########

The word-list-compress utility provides two options --
decompression of wordlists and compression of
wordlists. When processing wordlists supplied with
either option, due to lack of bounds checking, a
buffer overflow could occur, should a word exceeding
256 bytes be present in the user-supplied wordlist.

The offending code lays below.

--- vulnerable code ---
else if (argv[1][0] == 'c') {

char s1[256];
char s2[256];
char * prev = s2;
char * cur = s1;
*prev = '\0';

SETBIN (stdout);

/* BUG 1: no checks are made to prevent getting
more than 256 bytes via get_word() */
while (get_word(stdin, cur)) {
int i = 0;
/* get the length of the prefix */
while (prev[i] != '\0' && cur[i] != '\0' &&
prev[i] == cur[i])
++i;
if (i > 31) {
putc('\0', stdout);
}
putc(i+1, stdout);
fputs(cur+i, stdout);
if (cur == s1) {
prev = s1; cur = s2;
} else {
prev = s2; cur = s1;
}
}
return 0;

} else if (argv[1][0] == 'd') {

char cur[256];
int i;
int c;

SETBIN (stdin);

i = getc(stdin);
while (i != -1 ) {
if (i == 0)
i = getc(stdin);
--i;

/* BUG 2: no check is made to prevent against
writing more than 256 bytes into the fixed
length buffers */
while ((c = getc(stdin)) > 32)
cur[i++] = (char)c;
cur[i] = '\0';
fputs(cur, stdout);
putc('\n', stdout);
i = c;
}
return 0;
--- EOF ---

The get_word() routine is called continually when
acting upon 'c' (compress) until the user-supplied
string ends. In option 'd' (decompress), characters
are written into a fixed length buffer ('cur').
However, no checks in the while() loops are present to
ensure that the number of characters in each 'word'
exceed 256 bytes, thus resulting in a potential buffer
overflow, such should a condition arise.

If a user was able to influence the contents of
another users wordlist/dictionary file, the user could
craft a malicious word entry exceeding 256 bytes to
execute arbitrary code. When word-list-compress is
then called by a targetted user, the malicious
wordlist entry would trigger to overflow, optionally
running arbitrary code with the privileges of the
user.


Exploitation
##############

Assuming a user had sufficient privileges to influence
the contents of a users wordlist, a malicious word
entry could be crafted in the form of a normal exploit
buffer.

To reproduce the issues described above, issue the
below commands.

---
bash$ echo `perl -e 'print "a"x1000'` |
word-list-compress c

bash$ echo `perl -e 'print "a"x1000'` |
word-list-compress d
---

Each subsequent command should produce a segmentation
fault. By examining the core file, it should be
apparent that influence of program flow is easily
possible.

The major mitigating factor is the access the
malicious user requires to a users dictionary file.
However, if a malicious user could social engineer a
user into using their specially crafted wordlist with
word-list-compress, an issue would still exist.



Solution
#########

Kevin Atkinson, package maintainer, was contacted a
significant amount of time ago, but no reply was
received, and the issues still exist in the latest
release of aspell.

The below patch file fixes the issues.

--- aspell-bug.patch ---
--- compress.orig.c 2004-06-08 16:37:00.000000000
+0100
+++ compress.c 2004-06-08 16:34:35.000000000 +0100
@@ -28,6 +28,9 @@

#endif

+int count;
+
+
void usage ()
{
fputs("Compresses or uncompresses sorted word
lists.\n" , stderr);
@@ -47,6 +50,7 @@
*w++ = (char)(c);
} while (c = getc(in), c != EOF && c > 32);
*w = '\0';
+ count++;
ungetc(c, in);
if (c == EOF) return 0;
else return 1;
@@ -69,6 +73,7 @@

SETBIN (stdout);

+ while(count < 256) {
while (get_word(stdin, cur)) {
int i = 0;
/* get the length of the prefix */
@@ -85,6 +90,7 @@
prev = s2; cur = s1;
}
}
+ }
return 0;

} else if (argv[1][0] == 'd') {
@@ -100,8 +106,11 @@
if (i == 0)
i = getc(stdin);
--i;
- while ((c = getc(stdin)) > 32)
+ while ((c = getc(stdin)) > 32 && count < 256) {

cur[i++] = (char)c;
+ count++;
+ }
+
cur[i] = '\0';
fputs(cur, stdout);
putc('\n', stdout);
--- EOF ---

Apply the patch, and rebuild aspell.




Thank you for your time.
Shaun.







____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close