Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Generic)  >   2fax Vendors:   Harder, Hans
2fax Buffer Overflow in expandtabs() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012564
SecurityTracker URL:
CVE Reference:   CVE-2004-1255   (Links to External Site)
Updated:  Dec 23 2004
Original Entry Date:  Dec 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.04
Description:   A vulnerability was reported in 2fax. A remote user can cause arbitrary code to be executed by the target user.

D. J. Bernstein reported that a remote user can create a specially crafted e-mail, web page, or other file that, when processed by the target user with 2fax, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

The buffer overflow resides in the expandtabs() function in '2fax.c'

Ariel Berkman is credited with discovering this flaw.

Impact:   A remote user can cause arbitrary code to be executed by the target user with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [remote] [control] 2fax 3.04 expandtabs overflows s buffer

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in 2fax, a text-to-TIFF
converter. I'm publishing this notice, but all the discovery credits
should be assigned to Berkman.

You are at risk if you take an email message (or a web page or any other
source that could be controlled by an attacker) and feed it through
2fax. (The 2fax documentation does not tell users to avoid taking input
from the network.) Whoever provides the input then has complete control
over your account: he can read and modify your files, watch the programs
you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, type

   gunzip < 2fax304.tgz | tar -xf -
   cd 2fax-3.04
   gcc -o 2fax 2fax.c

to download and compile the 2fax program, version 3.04 (current). Then
save the file 13.txt attached to this message, and type

   ./2fax 13.txt 13.tiff

with the unauthorized result that a file named x is removed from the
current directory.

Here's the bug: In 2fax.c, expandtabs() copies any amount of data into a
256-byte s array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: attachment; filename="13.txt"
Content-Transfer-Encoding: quoted-printable

=83=C2=03=89Q=10=89A=14=88A*=88A2=88A5=88A:Q=83=C1=08Q=83=C1 =83=C1=03Q=83=


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, LLC