From djb@cr.yp.to Wed Dec 15 14:22:25 2004 Date: 15 Dec 2004 08:25:52 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, cantzler@gmx.net Subject: [remote] [control] Mesh Viewer 0.2.2 Mesh::type overflows s1 buffer Mohammed Khan and Danny Lungstrom, two students in my Fall 2004 UNIX Security Holes course, have discovered a remotely exploitable security hole in Mesh Viewer. I'm publishing this notice, but all the discovery credits should be assigned to Khan and Lungstrom. You are at risk if you take a mesh file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that document through mview. Whoever provides that document then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. The Mesh Viewer documentation does not tell users to avoid taking input from the network. In fact, the Mesh Viewer web page specifically points to web pages with sample meshes. Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type cd /usr/ports/graphics/meshviewer make install to download and compile the Mesh Viewer program, version 0.2.2 (current). Then, as any user, save the file 46.mesh attached to this message, and type mview 46.mesh with the unauthorized result that a file named ``exploited'' is created in the current directory. Here's the bug: In mesh.c, Mesh::type() uses fscanf() to read any number of bytes into the 20-byte s1 and s2 arrays. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 3 lines. ] [ Unable to print this part. ]