what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

aspellOverflow.txt

aspellOverflow.txt
Posted Jun 10, 2004
Authored by Shaun Colley aka shaun2k2 | Site nettwerked.co.uk

Aspell is susceptible to a stack overflow when it makes use of a wordlist file that has an entry exceeding 256 bytes.

tags | advisory, overflow
SHA-256 | 7b148643f8b27cc0b5251d418834bd40e6879c6455093a920ae35722acfa711d

aspellOverflow.txt

Change Mirror Download
_________________________________________________________

Product: word-list-compress / part of aspell
package
Versions: All
Bug: Stack overflow
Impact: Run arbitrary code with privs of target
user
Risk: Low
Date: June 8, 2004
Author: shaun2k2
https://www.nettwerked.co.uk
_________________________________________________________



Introduction
#############

Aspell was intended as a more accurate and robust
replacement for the popular ispell package, and was
written by GNU. Aspell includes a small utility for
compressing and decompressing wordlists before
processing by aspell, namely 'word-list-compress'.

Due to insufficient bounds checking, a malformed
wordlist can cause for a stack based buffer overflow
to occur, possibly allowing execution of arbitrary
code with the privileges of the invoking user.


Details
########

The word-list-compress utility provides two options --
decompression of wordlists and compression of
wordlists. When processing wordlists supplied with
either option, due to lack of bounds checking, a
buffer overflow could occur, should a word exceeding
256 bytes be present in the user-supplied wordlist.

The offending code lays below.

--- vulnerable code ---
else if (argv[1][0] == 'c') {

char s1[256];
char s2[256];
char * prev = s2;
char * cur = s1;
*prev = '\0';

SETBIN (stdout);

/* BUG 1: no checks are made to prevent getting
more than 256 bytes via get_word() */
while (get_word(stdin, cur)) {
int i = 0;
/* get the length of the prefix */
while (prev[i] != '\0' && cur[i] != '\0' &&
prev[i] == cur[i])
++i;
if (i > 31) {
putc('\0', stdout);
}
putc(i+1, stdout);
fputs(cur+i, stdout);
if (cur == s1) {
prev = s1; cur = s2;
} else {
prev = s2; cur = s1;
}
}
return 0;

} else if (argv[1][0] == 'd') {

char cur[256];
int i;
int c;

SETBIN (stdin);

i = getc(stdin);
while (i != -1 ) {
if (i == 0)
i = getc(stdin);
--i;

/* BUG 2: no check is made to prevent against
writing more than 256 bytes into the fixed
length buffers */
while ((c = getc(stdin)) > 32)
cur[i++] = (char)c;
cur[i] = '\0';
fputs(cur, stdout);
putc('\n', stdout);
i = c;
}
return 0;
--- EOF ---

The get_word() routine is called continually when
acting upon 'c' (compress) until the user-supplied
string ends. In option 'd' (decompress), characters
are written into a fixed length buffer ('cur').
However, no checks in the while() loops are present to
ensure that the number of characters in each 'word'
exceed 256 bytes, thus resulting in a potential buffer
overflow, such should a condition arise.

If a user was able to influence the contents of
another users wordlist/dictionary file, the user could
craft a malicious word entry exceeding 256 bytes to
execute arbitrary code. When word-list-compress is
then called by a targetted user, the malicious
wordlist entry would trigger to overflow, optionally
running arbitrary code with the privileges of the
user.


Exploitation
##############

Assuming a user had sufficient privileges to influence
the contents of a users wordlist, a malicious word
entry could be crafted in the form of a normal exploit
buffer.

To reproduce the issues described above, issue the
below commands.

---
bash$ echo `perl -e 'print "a"x1000'` |
word-list-compress c

bash$ echo `perl -e 'print "a"x1000'` |
word-list-compress d
---

Each subsequent command should produce a segmentation
fault. By examining the core file, it should be
apparent that influence of program flow is easily
possible.

The major mitigating factor is the access the
malicious user requires to a users dictionary file.
However, if a malicious user could social engineer a
user into using their specially crafted wordlist with
word-list-compress, an issue would still exist.



Solution
#########

Kevin Atkinson, package maintainer, was contacted a
significant amount of time ago, but no reply was
received, and the issues still exist in the latest
release of aspell.

The below patch file fixes the issues.

--- aspell-bug.patch ---
--- compress.orig.c 2004-06-08 16:37:00.000000000
+0100
+++ compress.c 2004-06-08 16:34:35.000000000 +0100
@@ -28,6 +28,9 @@

#endif

+int count;
+
+
void usage ()
{
fputs("Compresses or uncompresses sorted word
lists.\n" , stderr);
@@ -47,6 +50,7 @@
*w++ = (char)(c);
} while (c = getc(in), c != EOF && c > 32);
*w = '\0';
+ count++;
ungetc(c, in);
if (c == EOF) return 0;
else return 1;
@@ -69,6 +73,7 @@

SETBIN (stdout);

+ while(count < 256) {
while (get_word(stdin, cur)) {
int i = 0;
/* get the length of the prefix */
@@ -85,6 +90,7 @@
prev = s2; cur = s1;
}
}
+ }
return 0;

} else if (argv[1][0] == 'd') {
@@ -100,8 +106,11 @@
if (i == 0)
i = getc(stdin);
--i;
- while ((c = getc(stdin)) > 32)
+ while ((c = getc(stdin)) > 32 && count < 256) {

cur[i++] = (char)c;
+ count++;
+ }
+
cur[i] = '\0';
fputs(cur, stdout);
putc('\n', stdout);
--- EOF ---

Apply the patch, and rebuild aspell.




Thank you for your time.
Shaun.







____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
https://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close