+-[ Limpid Byte Advisory #003]---------------------------------+ | | | Program: 2fax | | Version: all ( <=2.02 ) | | OS: Linux/Windows | | Bug: Buffer Overflow in -bpcx option | | Homepage: http://www.atbas.org | | | | Discovered by Crazy Einstein [crazy_einstein@yahoo.com] | | | +--------------------------------------------------------------+ +Intro+--------------------------------------------------------+ 2fax (by Hans Harder): 2fax is a commandline program which converts ASCII files into fax (tiff) formatted files. It works with Hylafax (Linux) and bgfax (DOS/Windows). It also uses PCX files for logos and signatures, which can be overlayed over the ASCII text. +Bug+----------------------------------------------------------+ When you execute 2fax program with -bpcx option puting in this option many symbols ( >212 ) program will make SEGFAULT: [root@ns 2fax-2.02]# ./2fax -bpcx:`perl -e 'print "A"x666'` aaa aaa Segmentation fault (core dumped) [root@ns 2fax-2.02]# gdb 2fax core ... #0 0x41414141 in ?? () (gdb) ... So, we can execute arbitrary code with uid/gid of author of this program if this program have suid bits +Solution+-----------------------------------------------------+ (1) Clear suid bit from program: [root@ns 2fax-2.02]# chmod ug-s /path/to/2fax (2) Edit source of 2fax program: ... char page_pcxfn[81]=""; /* page pcx file */ ... word setswitches(char *sw, word cmdline, word def) { ... case 17 : if(&sw[l]<=81) { // make this check on length strcpy(page_pcxfn,&sw[l]); if (cmdline==0) page_pcxno=Openpcx(1,page_pcxfn); /*1.91*/ } else printf("Error: Length of pcx file is too big (max 81)\n"); break; ...