oss-sec mailing list archives
Re: Re: Stack out of bounds read access in uudecode / sharutils
From: Joshua Smith <jsmith () mail wvnet edu>
Date: Wed, 3 Jun 2015 14:43:35 -0400
On Wed, Jun 03, 2015 at 08:25:37PM +0200, Hanno Böck wrote:
Hi CVE-team, On Tue, 2 Jun 2015 22:35:02 -0400 (EDT) cve-assign () mitre org wrote:What are the realistic scenarios in which this has a security impact? For example, can any of these occur on actual systems? 1. The attacker e-mails a uuencoded file to their own mailbox on a web-based mail service. This service has a feature in which decoded data is presented to the recipient. (The server operates on the data with the uudecode program, not with any other implementation of the uudecode algorithm. The attacker gains read access to unintended parts of the server's memory.) 2. A web site allows users to do HTTP uploads of data in uuencoded format, and supports requests for decoded versions of the data. Same parenthesized description as above. 3. The attacker composes a news article with crafted uuencoded data and posts it to the alt.sources Usenet newsgroup. The attacker is subscribed to this newsgroup in their own account on a web-based Usenet news reading service. Same parenthesized description as above.To answer these questions to the best of my knowledge: I don't know. This is a question I think I can answer in a very general fashion. I find and report these out of bounds vulns very often. I can confirm that in your described scenarios an attacker could trigger an out of bounds read. If that can in anyway be used to exfiltrate data or other attacks: I don't know. In this case it's probably unlikely, because as you can see the oob read is just one byte. Analyzing the impact of these kinds of vulns would require digging and understanding the code in detail by someone skilled in memory corruption exploitation (that means: not me). What I can say is that many very similar issues I reported in the past got CVEs (lately e.g. in wireshark and curl). And there'll probably be a lot more in the near future. I started trying to write up reports for all issues of these kinds I reported once they got fixed. If you prefere not to be bothered about out of bounds issues with unknown impact any more I am fine with that and will stop cc-ing. Also - if the people on oss-security feel that my reports on these minor issues are too frequently please tell me and I'll stop sending them. But in the past I had the impression it's apprechiated and solar designer wants as much info as possible in the oss-security archives in case external sources vanish. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Not that my opinion matters but I enjoy reading your posts on this and similar vulnerabilities you have discovered. -- Joshua Smith Lead Systems Administrator WVNET Montani Semper Liberi
Current thread:
- Stack out of bounds read access in uudecode / sharutils Hanno Böck (Jun 02)
- Re: Stack out of bounds read access in uudecode / sharutils cve-assign (Jun 02)
- Re: Re: Stack out of bounds read access in uudecode / sharutils Hanno Böck (Jun 03)
- Re: Stack out of bounds read access in uudecode / sharutils cve-assign (Jun 03)
- Re: Re: Stack out of bounds read access in uudecode / sharutils Joshua Smith (Jun 03)
- Re: Re: Stack out of bounds read access in uudecode / sharutils Hanno Böck (Jun 03)
- Re: Stack out of bounds read access in uudecode / sharutils cve-assign (Jun 02)