Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Delivered-To: mailing list securesoftware@list.cr.yp.to
Received: (qmail 54892 invoked from network); 16 Dec 2004 21:08:33 -0000
Received: from unknown (HELO ns1.powerserver19.nl) (83.172.129.26)
  by stoneport.math.uic.edu with SMTP; 16 Dec 2004 21:08:33 -0000
Received: from www.atbas.org (localhost.localdomain [127.0.0.1])
	by ns1.powerserver19.nl (8.12.10/8.12.10) with SMTP id iBGL97Rn005908;
	Thu, 16 Dec 2004 22:09:47 +0100
Received: from 80.126.96.15
        (SquirrelMail authenticated user atbas@atbas.org)
        by www.atbas.org with HTTP;
        Thu, 16 Dec 2004 22:09:47 +0100 (CET)
Message-ID: <1957.80.126.96.15.1103231387.squirrel@www.atbas.org>
In-Reply-To: <20041215081727.23037.qmail@cr.yp.to>
References: <20041215081727.23037.qmail@cr.yp.to>
Date: Thu, 16 Dec 2004 22:09:47 +0100 (CET)
Subject: Re: [remote] [control] 2fax 3.04 expandtabs overflows s buffer
From: "Hans Harder" <hans@atbas.org>
To: "D. J. Bernstein" <djb@cr.yp.to>
Cc: securesoftware@list.cr.yp.to
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal

Hello,

thanks for the email concerning the report of the security hole in
the expandtab function.  I have changed the code, so it will now check
and prevent the buffer overflow.

The new version 2fax 3.05 for Linux is now available on the website.
Had no time for the windows version yet :)
Hope Ariel will pass the exams.

Hans

> Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
> discovered a remotely exploitable security hole in 2fax, a text-to-TIFF
> converter. I'm publishing this notice, but all the discovery credits
> should be assigned to Berkman.
>
> You are at risk if you take an email message (or a web page or any other
> source that could be controlled by an attacker) and feed it through
> 2fax. (The 2fax documentation does not tell users to avoid taking input
> from the network.) Whoever provides the input then has complete control
> over your account: he can read and modify your files, watch the programs
> you're running, etc.
>
> Proof of concept: On an x86 computer running FreeBSD 4.10, type
>
>    wget http://www.atbas.org/2fax/2fax304.tgz
>    gunzip < 2fax304.tgz | tar -xf -
>    cd 2fax-3.04
>    gcc -o 2fax 2fax.c
>
> to download and compile the 2fax program, version 3.04 (current). Then
> save the file 13.txt attached to this message, and type
>
>    ./2fax 13.txt 13.tiff
>
> with the unauthorized result that a file named x is removed from the
> current directory.
>
> Here's the bug: In 2fax.c, expandtabs() copies any amount of data into a
> 256-byte s array.
>
> ---D. J. Bernstein, Associate Professor, Department of Mathematics,
> Statistics, and Computer Science, University of Illinois at Chicago
>