A vulnerability has been reported in html2hdml version 1.0.3, allowing malicious people to compromise a vulnerable system.
d7655331fe4c226135f51e6291e77e50d25358b45b2a527e19aa53306bc8099c
From djb@cr.yp.to Wed Dec 15 14:23:01 2004
Date: 15 Dec 2004 08:29:44 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, html2hdml-devel@lists.sourceforge.jp
Subject: [remote] [control] html2hdml 1.0.3 remove_quote overflows
print_buf buffer
Wiktor Kopec and Matthew Dabrowski, two students in my Fall 2004 UNIX
Security Holes course, have discovered a remotely exploitable security
hole in html2hdml. I'm publishing this notice, but all the discovery
credits should be assigned to Kopec and Dabrowski.
You are at risk if you take an HTML document from the web (or email or
any other source that could be controlled by an attacker) and feed that
document through html2hdml. (I don't see any documentation stating that
html2hdml must not be applied to network data.) Whoever provides that
document then has complete control over your account: he can read and
modify your files, watch the programs you're running, etc.
Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type
cd /usr/ports/www/html2hdml
make install
to download and compile the html2hdml program, version 1.0.3 (apparently
not the latest official version, but the latest FreeBSD ports version).
Then, as any user, save the file 61.html attached to this message, and
type
html2hdml < 61.html > 61.hdml
with the unauthorized result that a file named x is removed from the
current directory.
Here's the bug: In convert.c, remove_quote() copies any amount of data
to a limited-size print_buf array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[ Part 2, Text/HTML (charset: unknown-8bit) 56 lines. ]
[ Unable to print this part. ]