OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pavel Kankovsky (peakargo.troja.mff.cuni.cz)
Date: Fri Jun 29 2001 - 03:23:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There is a trivial stack buffer overflow in ncompress 4.2.4 and presumably
    most older versions (but I doubt anyone is using them). Give it a filename
    longer than 1023 chars and see both compress and uncompress go down in
    flames (this one is pretty easy to spot, just look at the beginning of
    comprexx(); if you want a patch, you can find it in [1]). Red Hat, up to
    the most recent Raw Hide is affected. Debian is safe, because it does not
    include the package (probably due to the stupid LZW patent).

    There used to be a similar problem in gzip (unpatched 1.2.4) but the
    overflow happened in BSS rather than on the stack ([2]). As far as I can
    tell, version 1.3 included in RH 7.0+ and its clones, has this bug fixed
    but older version (like the still supported 6.2) are affected. Debian is
    still using 1.2.4 but they patched it a long time ago.

    Bzip2 is probably as bad as its two friends [3].

    Perfectionism dictating no program should ever crash aside, this is also
    a security risk when these programs get there filename from an untrusted
    party. One particularly attractive opportunity is a "smart" FTP server
    that can run them upon the client's request [4], e.g. wu-ftpd, together
    with an ability to upload files. As far as I know, no one has published an
    exploit yet--there are many technical obstacles (e.g. wu-ftpd limits the
    size of every command to 1/2 kB or something like that), but I think I am
    quite close to putting all pieces together. This is bad news for anyone
    providing FTP-only accounts, and we have not discussed other ways to
    exploit those bugs yet.

    Conclusion: If you neglect to fix old bugs for a long time (perhaps
    because they look irrelevant), they will come back and bite you.

    References:

    [1] Date: Sat, 15 Apr 2000 23:39:01 +0100
        From: Antonomasia <antnotatla.demon.co.uk>
        To: security-auditferret.lmh.ox.ac.uk
        Subject: Re: ncompress-4.2.4 race condition

    [2] Date: Thu, 25 Dec 1997 15:20:40 +0100
        From: "Michal Zalewski" <lcamtufPOLBOX.COM>
        To: BUGTRAQNETSPACE.ORG
        Subject: Gzip & segmentation faults

    [3] Date: Mon, 22 Jun 1998 16:14:03 -0700 (PDT)
        From: Zach Brown <zabzabbo.net>
        To: security-auditferret.lmh.ox.ac.uk
        Subject: a quick peek at bzip2

    [4] Date: Sat, 20 Jun 1998 21:48:47 +0100 (BST)
        From: Chris Evans <chrisferret.lmh.ox.ac.uk>
        To: security-auditferret.lmh.ox.ac.uk
        Subject: ~ftp/bin integrity?

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."