A stack-based buffer overflow vulnerability exists in the popular shar utility packaged in the GNU sharutils distribution, due to a lack of bounds checking when handling the -o command-line option. By default, this file is not setuid nor setgid, but if used in conjunction with other tools, it is possible that this can be manipulated for nefarious purposes.
b6dceda7216ae56f8997fa05d3bb0b438c5ce4c248e40197d99a60a8f531c1c6
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Product: GNU Sharutils -
shar utility
Versions: Latest - GNU sharutils 4.2.1
Assumed all
Bug: Buffer overflow
Impact: Attackers can possibly execute arbitrary
code
Risk: Low/Medium
Date: April 6, 2004
Author: Shaun Colley
Email: shaunige yahoo co uk
WWW: https://www.nettwerked.co.uk
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Introduction
#############
GNU sharutils is a common GNU package, included with
most Linux distributions, designed to create and
unpack SHell ARchives, which are used to send large
binaries through email with more ease.
Vendor's description
---
"GNU shar makes so-called shell archives out of many
files, preparing them for transmission by electronic
mail services. A shell archive is a collection of
files that can be unpacked by /bin/sh. A wide range of
features provide extensive flexibility in
manufacturing shars and in specifying shar smartness.
For example, shar may compress files, uuencode binary
files, split long files and construct multi-part
mailings, ensure correct unsharing order, and provide
simplistic checksums.
GNU unshar scans a set of mail messages looking for
the start of shell archives. It will automatically
strip off the mail headers and other introductory
text. The archive bodies are then unpacked by a copy
of the shell. unshar may also process files containing
concatenated shell archives. "
---
The 'shar' utility included as part of the GNU
sharutils package is prone to a buffer overflow
vulnerability due to lack of bounds checking when
processing the '-o' command-line flag.
Details
########
A stack-based buffer overflow vulnerability exists in
the popular 'shar' utility packaged in the GNU
sharutils distribution, due to lack of bounds checking
when handling the '-o' command-line option.
During the command-line argument parsing routine, when
the '-o' flag is encountered, 'shar' performs a
'strcpy()' call to blindly copy the user-supplied
argument after '-o' without bounds checking, into a
fixed length buffer, output_base_name, which has only
50 allocated to it.
Below is the offending code:
--- shar.c snippet ---
[...]
static char output_base_name[50];
[...]
while (optchar = getopt_long (argc, argv,
"+$BCDFL:MPQSTVXZab:cd:fg:hl:mn:o:pqs:wxz",
long_options, NULL),
optchar != EOF)
switch (optchar)
{
[...]
case 'o':
strcpy (output_base_name, optarg);
if (!strchr (output_base_name, '%'))
strcat (output_base_name, ".%02d");
part_number = 0;
open_output ();
break;
[...]
--- EO shar.c snippet ---
As the above code snippet implies, the argument
following the '-o' flag is copied into
output_base_name, using the dangerous 'strcpy()' call.
Since there is no check made on the length of the
argument before copying it into a small, fixed length
buffer, an excessively long string could allow for
program flow control information to be overwritten,
such as the Instruction Pointer (EIP), potentially
allowing arbitrary code to be executed.
Although the 'shar' utility is not SUID or SGID by
default, nor does it run with any special privileges,
if a website contained a CGI script which invoked
'shar' with the '-o' switch and allowed a
user-supplied filename for '-o', an attacker could
potentially execute arbitrary command by successfully
exploiting the buffer overflow condition.
The '-o' option is the only command-line flag able to
trigger this buffer overflow bug, as no other options
cause 'shar' to perform a blind 'strcpy()' call with
an unchecked buffer.
Exploitation
#############
The buffer overflow condition can be reproduced by
supplying an overly long string following the '-o'
option when invoking 'shar', in place of where 'shar'
expects a base filename.
Reproduction of the condition can be triggered by
issuing a command similar to the one below:
---
bash$ shar -o `perl -e 'print "a"x2000'`
Segmentation fault (core dumped)
---
Note that although GNU shar is not SUID or SGID by
default, if a website contained a CGI script that ran
shar with '-o' as a flag with user-supplied data, it
may be possible for a potential attacker to execute
arbitrary code.
Another situation where this issue may be exploited by
a potential attacker is when a third-party application
with SUID/SGID privileges invokes 'shar' with the '-o'
flag, with user-supplied data.
Solution
#########
I contacted the vendor, GNU, and received no response
within 4 1/2 days.
Although this issue isn't to be considered a serious
security threat, there are instances where this can be
exploited by a would-be attacker to execute code, such
as in the circumstances suggested above (cgi script,
sXid program, etc). Therefore, it would be considered
good practice to apply the fix regardless of whether
your system is likely to be compromised as a result of
the issue.
I have written a simple patch below to fix the buffer
overflow bug:
--- shar-bof.patch ---
--- shar.1.c 2004-04-06 16:26:55.000000000 +0100
+++ shar.c 2004-04-06 16:32:32.000000000 +0100
@@ -1905,7 +1905,7 @@
break;
case 'o':
- strcpy (output_base_name, optarg);
+ strncpy (output_base_name, optarg,
sizeof(output_base_name));
if (!strchr (output_base_name, '%'))
strcat (output_base_name, ".%02d");
part_number = 0;
--- EOF ---
Apply the patch, and rebuild:
---
bash# patch < shar-bof.patch && make && make install
---
Issue the above reproduction command, and a
segmentation fault should no longer be produced.
---
bash$ shar -o `perl -e 'print "a"x2000'`
shar: No input files
Try `shar --help' for more information.
bash$
---
Credit
#######
This issue was discovered and researched by Shaun
Colley / shaun2k2 - <shaunige yahoo co uk>.
Disclaimer
###########
The information contained within this advisory was
believed to be accurate at the time of it's
publishing. However, it may be inaccurate at times,
so don't consider any information 'set in stone'.
Direct flames to /dev/null. Don't waste my time and
yours with emails complaining about my non-cooperation
with standard and non-standard "disclosure" policies -
I'm not interested.
Thank you for your time.
Shaun.
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
https://uk.messenger.yahoo.com/download/index.html