OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
DJB's students release 44 *nix software vulnerability advisories

From: Thor Larholm (thorpivx.com)
Date: Thu Dec 16 2004 - 03:47:12 CST


Widely deployed open source software is commonly believed to contain
fewer security vulnerabilities than similar closed source software due
to the possibility of unrestricted third party source code auditing.
Predictably, most users of open source software do not invest a
significant amount of time to audit the applications they use and now a
class of 25 students has discovered 44 vulnerabilities during a CS
course.

This small group of students highlights how individuals outside the
security industry without special security prerequisites can still
manage to outperform the average Bugtraq poster in sheer quantity of
discoveries. This adequately validates the typical estimate of between 5
and 15 errors in every thousand lines of code.

D.J. Bernstein (http://cr.yp.to/djb.html) is lecturing a course this
fall at the University of Illinois at Chicago called "MCS 494: Unix
Security Holes" (http://cr.yp.to/2004-494.html). One of the requirements
to pass the course was to find and exploit 10 previously undiscovered
security holes in currently deployed Unix software.

With a class of 25 students discovering 44 vulnerabilities most students
now expect to fail the course
(http://it.slashdot.org/article.pl?sid=04/12/15/2113202).

The 44 security advisories have been published at

http://tigger.uic.edu/~jlongs2/holes/

Ariel Berkman has discovered a remotely exploitable security hole in
2fax, a text-to-TIFF converter.
[remote] [control] 2fax 3.04 expandtabs overflows s buffer
http://tigger.uic.edu/~jlongs2/holes/2fax.txt

Limin Wang has discovered two remotely exploitable security holes in
abc2midi.
[remote] [control] abc2midi 2004.12.04 event_text overflows msg buffer;
event_specific overflows msg buffer
http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt

Limin Wang has discovered a remotely exploitable security hole in
abc2mtex.
[remote] [control] abc2mtex 1.6.1 process_abc overflows key buffer
http://tigger.uic.edu/~jlongs2/holes/abc2mtex.txt

Limin Wang has discovered a remotely exploitable security hole in
abcm2ps.
[remote] [control] abcm2ps 3.7.20 put_words overflows str buffer
http://tigger.uic.edu/~jlongs2/holes/abcm2ps.txt

Yosef Klein has discovered a remotely exploitable security hole in
abcpp.
[remote] [control] abcpp 1.3.0 process_directive overflows token buffer
http://tigger.uic.edu/~jlongs2/holes/abcpp.txt

Limin Wang has discovered two remotely exploitable security holes in
abctab2ps.
[remote] [control] abctab2ps 1.6.3 write_heading overflows t; trim_title
overflows rest
http://tigger.uic.edu/~jlongs2/holes/abctab2ps.txt

Qiao Zhang has discovered two remotely exploitable security holes in
asp2php.
[remote] [control] asp2php 0.76.23 preparse() overflows token buffer;
preparse() overflows temp buffer
http://tigger.uic.edu/~jlongs2/holes/asp2php.txt

James Longstreet and Tom Indelli have discovered a remotely exploitable
security hole in bsb2ppm, a program to convert BSB image files to PPM
image
files.
[remote] [control] bsb2ppm 0.0.6 overflows line buffer
http://tigger.uic.edu/~jlongs2/holes/bsb2ppm.txt

Ariel Berkman has discovered a locally exploitable security hole in
ChangePassword, a YP/Samba/Squid password-changing tool.
[local] [control] ChangePassword 0.8 runs setuid shell
http://tigger.uic.edu/~jlongs2/holes/changepassword.txt

Danny Lungstrom has discovered a remotely exploitable security hole in
ChBg, a tool to change background pictures.
[remote] [control] chbg 1.5 simplify_path overflows res buffer
http://tigger.uic.edu/~jlongs2/holes/chbg.txt

Ariel Berkman has discovered a remotely exploitable security hole in
Convex 3D.
[remote] [control] Convex 3D 0.8pre1 readObjectChunk overflows
objectname buffer
http://tigger.uic.edu/~jlongs2/holes/convex3d.txt

Limin Wang has discovered a remotely exploitable security hole in
csv2xml.
[remote] [control] csv2xml 0.5.1 get_field_headers overflows token
http://tigger.uic.edu/~jlongs2/holes/csv2xml.txt

Ariel Berkman has discovered a remotely exploitable security hole in
CUPS.
[remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf
http://tigger.uic.edu/~jlongs2/holes/cups.txt

Bartlomiej Sieka has discovered several security problems in how
lppasswd, version 1.1.22 (current), edits /usr/local/etc/cups/passwd.
[local] [kill] CUPS 1.1.22 lppasswd ignores write errors, etc.
http://tigger.uic.edu/~jlongs2/holes/cups2.txt

Ariel Berkman has discovered a remotely exploitable security hole in
dxfscope, a viewer for DXF drawings.
[remote] [control] dxfscope 0.2 overflows ent_name buffer
http://tigger.uic.edu/~jlongs2/holes/dxfscope.txt

Ariel Berkman has discovered a remotely exploitable security hole in the
elm/bolthole filter program.
[remote] [control] elm/bolthole filter 2.6.1 save_embedded_address
overflows address buffer
http://tigger.uic.edu/~jlongs2/holes/elm-bolthole-filter.txt

Manigandan Radhakrishnan has discovered two remotely exploitable
security holes in ``Get and Resume Elite Edition'' (greed), an FTP/HTTP
downloading tool.
[remote] [control] greed 0.81p DownloadLoop overflows COMMAND;
DownloadLoop does not check for nasty characters
http://tigger.uic.edu/~jlongs2/holes/greed.txt

Wiktor Kopec and Matthew Dabrowski have discovered a remotely
exploitable security hole in html2hdml.
[remote] [control] html2hdml 1.0.3 remove_quote overflows print_buf
buffer
http://tigger.uic.edu/~jlongs2/holes/html2hdml.txt

Manigandan Radhakrishnan has discovered a locally exploitable security
hole in IglooFTP, at least version 0.6.1 (the current version in FreeBSD
ports).
[local] [control] IglooFTP 0.6.1 uses fopen in /tmp
http://tigger.uic.edu/~jlongs2/holes/iglooftp.txt

Yosef Klein has discovered a remotely exploitable security hole in
IglooFTP, at least version 0.6.1 (the current version in FreeBSD ports).
[remote] [control] IglooFTP 0.6.1 does not check for directory escapes
http://tigger.uic.edu/~jlongs2/holes/iglooftp2.txt

Tom Palarz and Limin Wang have discovered a remotely exploitable
security hole in jcabc2ps.
[remote] [control] jcabc2ps switch_voice() overflows t1 buffer
http://tigger.uic.edu/~jlongs2/holes/jcabc2ps.txt

James Longstreet has discovered a remotely exploitable security hole in
jpegtoavi.
[remote] [control] jpegtoavi 1.5 get_file_list_stdin overflows fn buffer
http://tigger.uic.edu/~jlongs2/holes/jpegtoavi.txt

Yosef Klein has discovered two remotely exploitable security holes in
junkie, an FTP client, version 0.3.1 (current).
[remote] [control] junkie 0.3.1 gui_popup_view_fly does not check for
nasty characters; ftp_retr does not check for directory escapes
http://tigger.uic.edu/~jlongs2/holes/junkie.txt

Stephen Dranger has discovered a remotely exploitable security hole in
LinPopUp, an instant-messaging tool
[remote] [control] LinPopUp 1.2.0 overflows sub_string buffer
http://tigger.uic.edu/~jlongs2/holes/linpopup.txt

Mohammed Khan and Danny Lungstrom have discovered a remotely exploitable
security hole in Mesh Viewer.
[remote] [control] Mesh Viewer 0.2.2 Mesh::type overflows s1 buffer
http://tigger.uic.edu/~jlongs2/holes/meshviewer.txt

Bartlomiej Sieka has discovered a remotely exploitable security hole in
mpg123.
[remote] [control] mpg123 0.59r find_next_file overflows linetmp buffer
http://tigger.uic.edu/~jlongs2/holes/mpg123.txt

Ariel Berkman has discovered a remotely exploitable security hole in
MPlayer.
[remote] [control] MPlayer 1.0pre5 get_header overflows data buffer
http://tigger.uic.edu/~jlongs2/holes/mplayer.txt

Bartlomiej Sieka has discovered a remotely exploitable security hole in
NapShare, at
least version 1.2 (the current version in FreeBSD ports).
[remote] [control] NapShare 1.2 auto_filter_extern overflows filename
buffer
http://tigger.uic.edu/~jlongs2/holes/napshare.txt

Jonathan Rockway has discovered a remotely exploitable security hole in
NASM.
[remote] [control] NASM 0.98.38 error() overflows buff[]
http://tigger.uic.edu/~jlongs2/holes/nasm.txt

Wiktor Kopec has discovered a remotely exploitable security hole in
o3read, a converter for SXW files.
[remote] [control] o3read 0.0.3 parse_html overflows t buffer
http://tigger.uic.edu/~jlongs2/holes/o3read.txt

Danny Lungstrom has discovered two remotely exploitable security holes
in pcal.
[remote] [control] pcal 4.7.1 getline overflows tmpbuf; get_holiday
overflows tmp
http://tigger.uic.edu/~jlongs2/holes/pcal.txt

Tom Palarz and Kris Kubicki have discovered a remotely exploitable
security hole in pgn2web, a converter from PGN-format chess games to web
pages.
[remote] [control] pgn2web 0.3 process_moves overflows token buffer
http://tigger.uic.edu/~jlongs2/holes/pgn2web.txt

Jonathan Rockway has discovered that qwik-smtpd, version 0.3, allows
spammers to freely relay mail.
[remote] [exhaust] qwik-smtpd overflows clientHelo buffer
http://tigger.uic.edu/~jlongs2/holes/qwik-smtpd.txt

Qiao Zhang has discovered a remotely exploitable security hole in
ringtonetools.
[remote] [control] ringtonetools 2.22 parse_emelody overflows song
buffer
http://tigger.uic.edu/~jlongs2/holes/ringtonetools.txt

Limin Wang has discovered a remotely exploitable security hole in
rtf2latex2e.
[remote] [control] rtf2latex2e 1.0fc2 ReadFontTbl overflows buffer
http://tigger.uic.edu/~jlongs2/holes/rtf2latex2e.txt

Yosef Klein has discovered a remotely exploitable security hole in
tnftp, an FTP client, version 20030825 (current at least in FreeBSD
ports).
[remote] [control] tnftp 20030825 does not check for directory escapes
http://tigger.uic.edu/~jlongs2/holes/tnftp.txt

Danny Lungstrom has discovered that uml_net allows local users to take
down the computer's Ethernet connection.
[local] [kill] uml-utilities 20030903 uml_net slip_down() fails to check
permissions
http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt

Yosef Klein and Limin Wang have discovered a remotely exploitable
security hole in unrtf.
[remote] [control] unrtf 0.19.3 process_font_table overflows name buffer
http://tigger.uic.edu/~jlongs2/holes/unrtf.txt

Qiao Zhang has discovered a remotely exploitable security hole in vb2c.
[remote] [control] vb2c 0.02 parse_sub overflows token buffer
http://tigger.uic.edu/~jlongs2/holes/vb2c.txt

Ariel Berkman has discovered a remotely exploitable security hole in
vilistextum, an HTML-to-text converter.
[remote] [control] vilistextum 2.6.6 get_attr overflows temp buffer
http://tigger.uic.edu/~jlongs2/holes/vilistextum.txt

Ariel Berkman has discovered a remotely exploitable security hole in
xine-lib.
[remote] [control] xine-lib open_aiff_file overflows buffer
http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt

Tom Palarz and Kris Kubicki have discovered a remotely exploitable
security hole in xlreader, a program to read Excel files.
[remote] [control] xlreader 0.9.0 overflows insert_start buffer
http://tigger.uic.edu/~jlongs2/holes/xlreader.txt

Manigandan Radhakrishnan has discovered a remotely exploitable security
hole in YAMT, an MP3-organization tool.
[remote] [control] YAMT 0.5 id3tag_sort does not check for nasty
characters
http://tigger.uic.edu/~jlongs2/holes/yamt.txt

Ariel Berkman has discovered a remotely exploitable security hole in
Yanf.
[remote] [control] Yanf 0.4 get() overflows buf
http://tigger.uic.edu/~jlongs2/holes/yanf.txt

Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thorpivx.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>