A buffer overflow vulnerability exists in the Yanf news fetcher utility version 0.4.
877eee2f42cbd1fbc93e5f7b498d7e966f2d625fc7823cb2e7dcd7ce37052da0
From djb@cr.yp.to Wed Dec 15 14:20:44 2004
Date: 15 Dec 2004 08:15:34 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, yanf@gmx.net, sycrash@users.sourceforge.net
Subject: [remote] [control] Yanf 0.4 get() overflows buf
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in Yanf. I'm publishing
this notice, but all the discovery credits should be assigned to
Berkman.
You are at risk if you connect to any HTTP servers using Yanf. Anyone
who provides an HTTP response to Yanf (not necessarily the legitimate
server administrator; an attacker can forge HTTP responses) then has
complete control over your account: he can read and modify your files,
watch the programs you're running, etc.
Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp
installed, save the file 9.http attached to this message, and, as root,
type
tcpserver 127.0.0.1 80 cat 9.http &
to arrange for 9.http as the response to any connection to IP address
127.0.0.1 port 80. Then, as any user, type
wget http://umn.dl.sourceforge.net/sourceforge/yanf/yanf-0.4.tar.gz
gunzip < yanf-0.4.tar.gz | tar -xf -
cd yanf-0.4
make
to download and compile the yanf program, version 0.4 (current). Then
type
echo '[global]' > my.conf
echo 'start = blah' >> my.conf
echo '' >> my.conf
echo '[Slashdot]' >> my.conf
echo 'url = localhost/test.blah' >> my.conf
echo 'type = slash' >> my.conf
echo 'max = 10' >> my.conf
echo 'output = blah' >> my.conf
bin/yanf my.conf
with the unauthorized result that a file named x is created (and its
previous contents destroyed) in the current directory. (I tested this
with a 534-byte environment, as reported by printenv | wc -c.)
Here's the bug: In src/get.c, get() reads a line of any length into a
2048-byte buf[] array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
[ Part 2, Text/PLAIN (charset: unknown-8bit) 30 lines. ]
[ Unable to print this part. ]