[UNIX] chmlib CHM File Handling Buffer Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 10/31/05
- Previous message: SecuriTeam: "[UNIX] Linux Orinoco Drivers Information Leakage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Oct 2005 08:49:04 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
chmlib CHM File Handling Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://morte.jedrea.com/~jedwin/projects/chmlib/> CHMLIB is a library
for dealing with Microsoft ITSS/CHM format files. " The chmlib library
does not validate the length of buffers it receives, allowing attackers to
cause it to overflow internal buffers and as a result execute arbitrary
code.
DETAILS
Vulnerable Systems:
* chmlib version 0.35
Immune Systems:
* chmlib version 0.36 and above
Remote exploitation of a stack overflow vulnerability in chmlib as
included in various Linux distributions allows attackers to execute
arbitrary code.
The vulnerability specifically exists due to an unchecked memory copy
while processing a CHM file.
The vulnerability exists in the following code, which is found in
chm_lib.c:
static UChar *_chm_find_in_PMGL(UChar *page_buf, Uint32 block_len, const
char *objPath)
{
[...]
char buffer[CHM_MAX_PATHLEN+1];
/* figure out where to start and end */
cur = page_buf;
hremain = _CHM_PMGL_LEN;
if (! _unmarshal_pmgl_header(&cur, &hremain, &header))
return NULL;
end = page_buf + block_len - (header.free_space);
/* now, scan progressively */
while (cur < end)
{
/* grab the name */
temp = cur;
strLen = _chm_parse_cword(&cur);
if (! _chm_parse_UTF8(&cur, strLen, buffer))
return NULL;
[..]
_chm_parse_cword can be forced to return a value larger than
CHM_MAX_PATHLEN. This value is then used while copying user controlled
data into a CHM_MAX_PATHLEN sized stack buffer. This allows the attacker
full control over execution flow by overwriting the saved return address
on the stack.
Exploitation could allow attackers to execute arbitrary code with the
privileges of the user processing the CHM file. Remote exploitation can be
achieved by sending a malicious file in an e-mail message to the target
user.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2930>
CAN-2005-2930
Disclosure Timeline:
09/08/2005 - Initial vendor notification
09/09/2005 - Initial vendor response
10/28/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com>
iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=332&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=332&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Linux Orinoco Drivers Information Leakage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
