exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dxfscope.txt

dxfscope.txt
Posted Dec 30, 2004
Authored by Ariel Berkman

DXFscope version 0.2 is susceptible to a buffer overflow in the dxfin() function.

tags | advisory, overflow
SHA-256 | 34369099fb355879ef5d0da41977d60a2e86ad54487c2f236eb122ab38a89caf

dxfscope.txt

Change Mirror Download
From djb@cr.yp.to Wed Dec 15 14:20:08 2004
Date: 15 Dec 2004 08:09:36 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, asher@wildspark.com
Subject: [remote] [control] dxfscope 0.2 overflows ent_name buffer

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in dxfscope, a viewer
for DXF drawings. I'm publishing this notice, but all the discovery
credits should be assigned to Berkman.

You are at risk if you take a DXF document from email (or a web page or
any other source that could be controlled by an attacker) and feed that
document through dxfscope. Whoever provides that document then has
complete control over your account: he can read and modify your files,
watch the programs you're running, etc.

The dxfscope documentation does not tell users to avoid taking input
from the network. One can easily find DXF files placed on the web for
public viewing; see, e.g., http://www.acipco.com/afc/dxf.cfm.

Proof of concept: On an x86 computer running FreeBSD 4.10, type

wget http://wildspark.com/dxfscope/dxfscope-current.tar.gz
gunzip < dxfscope-current.tar.gz | tar -xf -
cd dxfscope-0.2
make CC='gcc -DM_PIl=M_PI -I/usr/X11R6/include' SHAREDIR=`pwd`

to download and compile the dxfscope program, version 0.2 (current).
Then save the DXF document attached to this message as 2.dxf, and run

./dxfscope 2.dxf

with the unauthorized result that a file named x is created (and its
previous contents destroyed) in the current directory. (I tested this
with a 452-byte environment, as reported by printenv | wc -c; this
particular file 2.dxf is fairly fragile, allowing only a 60-byte range
of environment sizes.)

Here's the bug: In d.c, dxfin() uses fscanf(...,"%s",...) to read any
number of bytes into a 255-byte ent_name array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

[ Part 2, Text/PLAIN (charset: unknown-8bit) 6 lines. ]
[ Unable to print this part. ]

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close