From djb@cr.yp.to Wed Dec 15 14:22:29 2004 Date: 15 Dec 2004 08:26:47 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, ondrej@users.sourceforge.net Subject: [remote] [control] chbg 1.5 simplify_path overflows res buffer Danny Lungstrom, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in ChBg, a tool to change background pictures. I'm publishing this notice, but all the discovery credits should be assigned to Lungstrom. You are at risk if, under Linux, you take a chbg scenario file---a list of pictures to display---from an email message (or a web page or any other source that could be controlled by an attacker). Whoever provides that input then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Of course, when you accept a list of input filenames from someone else, you are running the risk that those filenames include some of your files, so that chbg will display some of your files (maybe secret pictures). But the chbg documentation does not suggest that there is any larger risk. Proof of concept: On an x86 computer running Linux with gcc 2.95.4, type wget http://unc.dl.sourceforge.net/sourceforge/chbg/chbg-1.5.tgz gunzip < chbg-1.5.tgz | tar -xf - cd chbg-1.5 ./configure make to download and compile the chbg program, version 1.5 (current). Then save the file 49.list attached to this message, and type src/chbg -scenario 49.list with the unauthorized result that a file named x is removed from the current directory. Here's the bug: In config.c, simplify_path() copies data into a 2048-byte res[] array. The amount of data is limited only by PATH_MAX, which is 4096 under Linux. (FreeBSD is immune to this particular attack because its PATH_MAX is only 1024.) ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 84 lines. ] [ Unable to print this part. ]