Vulnerability Development mailing list archives
New bugs, old bugs
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Tue, 20 Nov 2001 15:40:21 +0100 (MET)
The problem with gzip (and other similar programs) and ftpd has been known for a long time. Let me repost something I sent to security-audit a few months ago (please look at the list of references at the end). ---------- Forwarded message ---------- Date: Fri, 29 Jun 2001 10:23:38 +0200 (MET DST) From: Pavel Kankovsky <peak () argo troja mff cuni cz> To: security-audit () ferret lmh ox ac uk Subject: ncompress (and gzip? bzip2?) buffer overflow and why it matters There is a trivial stack buffer overflow in ncompress 4.2.4 and presumably most older versions (but I doubt anyone is using them). Give it a filename longer than 1023 chars and see both compress and uncompress go down in flames (this one is pretty easy to spot, just look at the beginning of comprexx(); if you want a patch, you can find it in [1]). Red Hat, up to the most recent Raw Hide is affected. Debian is safe, because it does not include the package (probably due to the stupid LZW patent). There used to be a similar problem in gzip (unpatched 1.2.4) but the overflow happened in BSS rather than on the stack ([2]). As far as I can tell, version 1.3 included in RH 7.0+ and its clones, has this bug fixed but older version (like the still supported 6.2) are affected. Debian is still using 1.2.4 but they patched it a long time ago. Bzip2 is probably as bad as its two friends [3]. Perfectionism dictating no program should ever crash aside, this is also a security risk when these programs get there filename from an untrusted party. One particularly attractive opportunity is a "smart" FTP server that can run them upon the client's request [4], e.g. wu-ftpd, together with an ability to upload files. As far as I know, no one has published an exploit yet--there are many technical obstacles (e.g. wu-ftpd limits the size of every command to 1/2 kB or something like that), but I think I am quite close to putting all pieces together. This is bad news for anyone providing FTP-only accounts, and we have not discussed other ways to exploit those bugs yet. Conclusion: If you neglect to fix old bugs for a long time (perhaps because they look irrelevant), they will come back and bite you. References: [1] Date: Sat, 15 Apr 2000 23:39:01 +0100 From: Antonomasia <ant () notatla demon co uk> To: security-audit () ferret lmh ox ac uk Subject: Re: ncompress-4.2.4 race condition [2] Date: Thu, 25 Dec 1997 15:20:40 +0100 From: "Michal Zalewski" <lcamtuf () POLBOX COM> To: BUGTRAQ () NETSPACE ORG Subject: Gzip & segmentation faults [3] Date: Mon, 22 Jun 1998 16:14:03 -0700 (PDT) From: Zach Brown <zab () zabbo net> To: security-audit () ferret lmh ox ac uk Subject: a quick peek at bzip2 [4] Date: Sat, 20 Jun 1998 21:48:47 +0100 (BST) From: Chris Evans <chris () ferret lmh ox ac uk> To: security-audit () ferret lmh ox ac uk Subject: ~ftp/bin integrity? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- New bugs, old bugs Pavel Kankovsky (Nov 20)
- Re: New bugs, old bugs Bernhard Rosenkraenzer (Nov 20)