From djb@cr.yp.to Wed Dec 15 14:23:01 2004
Date: 15 Dec 2004 08:29:44 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, html2hdml-devel@lists.sourceforge.jp
Subject: [remote] [control] html2hdml 1.0.3 remove_quote overflows
    print_buf buffer

Wiktor Kopec and Matthew Dabrowski, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in html2hdml. I'm publishing this notice, but all the discovery
credits should be assigned to Kopec and Dabrowski.

You are at risk if you take an HTML document from the web (or email or
any other source that could be controlled by an attacker) and feed that
document through html2hdml. (I don't see any documentation stating that
html2hdml must not be applied to network data.) Whoever provides that
document then has complete control over your account: he can read and
modify your files, watch the programs you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/www/html2hdml
   make install

to download and compile the html2hdml program, version 1.0.3 (apparently
not the latest official version, but the latest FreeBSD ports version).
Then, as any user, save the file 61.html attached to this message, and
type

   html2hdml < 61.html > 61.hdml

with the unauthorized result that a file named x is removed from the
current directory.

Here's the bug: In convert.c, remove_quote() copies any amount of data
to a limited-size print_buf array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/HTML (charset: unknown-8bit)  56 lines. ]
    [ Unable to print this part. ]