New bugs, old bugs

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

The problem with gzip (and other similar programs) and ftpd has been known
for a long time. Let me repost something I sent to security-audit a few
months ago (please look at the list of references at the end).

---------- Forwarded message ----------
Date: Fri, 29 Jun 2001 10:23:38 +0200 (MET DST)
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
To: security-audit () ferret lmh ox ac uk
Subject: ncompress (and gzip? bzip2?) buffer overflow and why it matters

There is a trivial stack buffer overflow in ncompress 4.2.4 and presumably
most older versions (but I doubt anyone is using them). Give it a filename
longer than 1023 chars and see both compress and uncompress go down in
flames (this one is pretty easy to spot, just look at the beginning of
comprexx(); if you want a patch, you can find it in [1]). Red Hat, up to
the most recent Raw Hide is affected. Debian is safe, because it does not
include the package (probably due to the stupid LZW patent).

There used to be a similar problem in gzip (unpatched 1.2.4) but the
overflow happened in BSS rather than on the stack ([2]). As far as I can
tell, version 1.3 included in RH 7.0+ and its clones, has this bug fixed
but older version (like the still supported 6.2) are affected. Debian is
still using 1.2.4 but they patched it a long time ago.

Bzip2 is probably as bad as its two friends [3].

Perfectionism dictating no program should ever crash aside, this is also
a security risk when these programs get there filename from an untrusted
party. One particularly attractive opportunity is a "smart" FTP server
that can run them upon the client's request [4], e.g. wu-ftpd, together
with an ability to upload files. As far as I know, no one has published an
exploit yet--there are many technical obstacles (e.g. wu-ftpd limits the
size of every command to 1/2 kB or something like that), but I think I am
quite close to putting all pieces together. This is bad news for anyone
providing FTP-only accounts, and we have not discussed other ways to
exploit those bugs yet.

Conclusion: If you neglect to fix old bugs for a long time (perhaps
because they look irrelevant), they will come back and bite you.


References:

[1] Date: Sat, 15 Apr 2000 23:39:01 +0100
    From: Antonomasia <ant () notatla demon co uk>
    To: security-audit () ferret lmh ox ac uk
    Subject: Re: ncompress-4.2.4 race condition

[2] Date: Thu, 25 Dec 1997 15:20:40 +0100
    From: "Michal Zalewski" <lcamtuf () POLBOX COM>
    To: BUGTRAQ () NETSPACE ORG
    Subject: Gzip & segmentation faults

[3] Date: Mon, 22 Jun 1998 16:14:03 -0700 (PDT)
    From: Zach Brown <zab () zabbo net>
    To: security-audit () ferret lmh ox ac uk
    Subject: a quick peek at bzip2

[4] Date: Sat, 20 Jun 1998 21:48:47 +0100 (BST)
    From: Chris Evans <chris () ferret lmh ox ac uk>
    To: security-audit () ferret lmh ox ac uk
    Subject: ~ftp/bin integrity?


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."