From djb@cr.yp.to Wed Dec 15 14:23:01 2004 Date: 15 Dec 2004 08:29:44 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, html2hdml-devel@lists.sourceforge.jp Subject: [remote] [control] html2hdml 1.0.3 remove_quote overflows print_buf buffer Wiktor Kopec and Matthew Dabrowski, two students in my Fall 2004 UNIX Security Holes course, have discovered a remotely exploitable security hole in html2hdml. I'm publishing this notice, but all the discovery credits should be assigned to Kopec and Dabrowski. You are at risk if you take an HTML document from the web (or email or any other source that could be controlled by an attacker) and feed that document through html2hdml. (I don't see any documentation stating that html2hdml must not be applied to network data.) Whoever provides that document then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type cd /usr/ports/www/html2hdml make install to download and compile the html2hdml program, version 1.0.3 (apparently not the latest official version, but the latest FreeBSD ports version). Then, as any user, save the file 61.html attached to this message, and type html2hdml < 61.html > 61.hdml with the unauthorized result that a file named x is removed from the current directory. Here's the bug: In convert.c, remove_quote() copies any amount of data to a limited-size print_buf array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/HTML (charset: unknown-8bit) 56 lines. ] [ Unable to print this part. ]