From djb@cr.yp.to Wed Dec 15 14:21:44 2004 Date: 15 Dec 2004 08:21:54 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, mike@mikekohn.net Subject: [remote] [control] asp2php 0.76.23 preparse() overflows token buffer; preparse() overflows temp buffer Qiao Zhang, a student in my Fall 2004 UNIX Security Holes course, has discovered two remotely exploitable security holes in asp2php. I'm publishing this notice, but all the discovery credits should be assigned to Zhang. You are at risk if you take an ASP script from an email message (or a web page or any other source that could be controlled by an attacker) and feed that script through asp2php. (The asp2php documentation does not tell users to avoid taking input from the network.) Whoever provides that script then has complete control over your account: she can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, type wget http://downloads.mikekohn.net/asp2php/asp2php-0.76.23.tar.gz gunzip < asp2php-0.76.23.tar.gz | tar -xf - cd asp2php-0.76.23 make to download and compile the asp2php program, version 0.76.23 (current). Then save the file 29-1.asp attached to this message, and type ./asp2php 29-1.asp with the unauthorized result that a file named EXPLOITED is created in the current directory. 29-2.asp is similar but uses a separate buffer overflow. (I tested these with a 541-byte environment, as reported by printenv | wc -c.) Both buffer overflows can be blamed on gettoken(), which has a fundamentally broken gets()-style API. The preparse() function calls gettoken() to read data into a 1024-byte token[] array, and to read data into a 1024-byte temp[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 32 lines. ] [ Unable to print this part. ] [ Part 3, Text/PLAIN (charset: unknown-8bit) 45 lines. ] [ Unable to print this part. ]