what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

whitedunboffs.txt

whitedunboffs.txt
Posted Jan 2, 2008
Authored by Luigi Auriemma | Site aluigi.org

White Dune versions 0.29beta791 and below suffer from buffer overflow and format string vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | 3180aa0d4eb9dc5c37120d5e23c070a067c55ef57d95decab94c4ee69dc8f907

whitedunboffs.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: White_Dune
http://vrml.cip.ica.uni-stuttgart.de/dune/
Versions: <= 0.29beta791
Platforms: Unix/Linux/MacOSX and Windows
Bugs: A] buffer-overflow in Scene::errorf
B] format string in ImportFile
Exploitation: local
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


White_Dune is an open source editor/viewer for the VRML97 files.


#######################################################################

=======
2) Bugs
=======

-----------------------------------
A] buffer-overflow in Scene::errorf
-----------------------------------

A buffer-overflow vulnerability is located in the function which builds
the error messages for the problems happened during the parsing of the
WRL file.

>From Scene.cpp:

void
Scene::errorf(const char *fmt, ...)
{
va_list ap;
char buf[1024], buf2[1024];
const char *url = "";

va_start(ap, fmt);
vsprintf(buf, fmt, ap);
if (TheApp->getImportURL() != NULL)
url = TheApp->getImportURL();
mysnprintf(buf2, 1024, "%s %d: %s", url, lineno, buf);
_compileErrors += buf2;
}


------------------------------
B] format string in ImportFile
------------------------------

Another problem related to the handling of the errors.
After the building of the error message the parse() function returns
immediately and swDebugf() is called for visualizing it to stderr or to
the debugger without using the needed format argument required by the
function.

>From DuneApp.cpp:

DuneApp::ImportFile(const char *openpath, Scene* scene, bool protoLibrary,
Node *node, int field)
...
if (errors[0]) {
swMessageBox(_mainWnd, errors, "Parse Errors", SW_MB_OK, SW_MB_WARNING);
swDebugf(errors);
...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/whitedunboffs.zip


#######################################################################

======
4) Fix
======


Version 0.29beta795


#######################################################################


---
Luigi Auriemma
http://aluigi.org








Mobile :
Email :
Web : http://www.sd.zain.com/
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Disclaimer

This communication is intended for the above named person and is confidential and / or legally privileged. Any opinion(s) expressed in this communication are not necessarily those of the Zain. If it has come to you in error you must take no action based upon it, nor must you print it, copy it, forward it, or show it to anyone. Please delete and destroy the e-mail and any attachments and inform the sender immediately. Thank you.
Zain is not responsible for the political, religious, racial or partisan opinion in any correspondence conducted by its domain users. Therefore, any such opinion expressed, whether explicitly or implicitly, in any said correspondence is not to be interpreted as that of Zain.
Zain may monitor all incoming and outgoing e-mails in line with Zain business practice. Although Zain has taken steps to ensure that e-mails and attachments are free from any virus, we advise that, in keeping with best business practice, the recipient must ensure they are actually virus free.
"
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close