Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: adv001.txt

Bug found in: Polymorph 0.4.0

Hash: SHA1

01100011 - code 'security research team'
- ----------------------------------------

- -
- - Advisory and PoC exploit by: demz //
- - Vulnerable source: Polymorph v0.4.0
- - Bug type: Stackoverflow
- - Priority: 3

- ----------------------------------------

[01] Description
[02] Vulnerable
[03] Proof of concept
[04] Vendor response

[01] Description

     Polymorph is a filesystem "unixier" (a Win32 -> Unix filename convertor)
     When downloading images from Usenet alot of filenames are mangled by MS Outlook
     and other, less caring, newsagents.
     There could be files with strange names like C:\\PIX\\HUBBLE\\Eagle\ Nebula\ 0532.JPG
     and this, of course, is unacceptable.
     Polymorph looks in the current working directory and finds strange filenames like this.
     It then renames the file after converting all the characters to lowercase and
     trimming the cruft from the original.
     The previous example turned out to have the name eagle_nebula_0532.jpg which is
     much more useful.

     Polymorph contains an unchecked buffer in the "-f file" option,
     this can be exploited very simple.

[02] Vulnerable

     Vulnerable and exploitable version, tested on Redhat 8.0:
     -  Polymorph 0.4.0

     Maybe also prior versions are vulnerable.
     Source can be found at:

[03] Proof of concept

     [demz@lab polymorph-0.4.0]$ ./c-polymorph

     Polymorph 0.4.0 local exploit
     ---------------------------------------- demz @ --
     polymorph had trouble converting

              蛝1腊蛺悙悙% to


              蛝1腊 悙悙                  痼...

     the file is now possibly corrupt

     A proof of concept exploit can be found at:

[04] Vendor response

     The vendor is informed.

Version: GnuPG v1.2.1 (GNU/Linux)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH