From djb@cr.yp.to Wed Dec 15 14:20:49 2004 Date: 15 Dec 2004 08:16:04 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, di77ihd@users.sourceforge.net Subject: [remote] [control] jpegtoavi 1.5 get_file_list_stdin overflows fn buffer James Longstreet, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in jpegtoavi. I'm publishing this notice, but all the discovery credits should be assigned to Longstreet. You are at risk if you take jpegtoavi input---a set of JPEG files and a file listing the names of the JPEG files---from an email message (or a web page or any other source that could be controlled by an attacker). Whoever provides that input then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Of course, when you accept a list of input filenames from someone else, you are running the risk that those filenames include some of your files, so that the jpegtoavi output will include some of your files (maybe secret pictures). But the jpegtoavi documentation does not suggest that there is any larger risk. Proof of concept: On an x86 computer running Linux with gcc 2.95.4, type wget http://umn.dl.sourceforge.net/sourceforge/jpegtoavi/jpegtoavi-1.5.tar.gz gunzip < jpegtoavi-1.5.tar.gz | tar -xf - cd jpegtoavi-1.5 make to download and compile the jpegtoavi program. Then save the file 10.list attached to this message, and type ./jpegtoavi -f 1 640 480 < 10.list with the unauthorized result that a directory named ``hacked'' is created inside the current directory. Here's the bug: In jpegtoavi.c, get_file_list_stdin() uses an unprotected %s scanf to read any number of bytes into an fn[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 95 lines. ] [ Unable to print this part. ]