Buffer-overflow and format string in White_Dune 0.29beta791

2008.01.08
Credit: Luigi Auriemma
Risk: High
Local: Yes
Remote: No
CVE: CVE-2008-0100 | CVE-2008-0101
CWE: N/A

####################################################################### Luigi Auriemma Application: White_Dune http://vrml.cip.ica.uni-stuttgart.de/dune/ Versions: <= 0.29beta791 Platforms: Unix/Linux/MacOSX and Windows Bugs: A] buffer-overflow in Scene::errorf B] format string in ImportFile Exploitation: local Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== White_Dune is an open source editor/viewer for the VRML97 files. ####################################################################### ======= 2) Bugs ======= ----------------------------------- A] buffer-overflow in Scene::errorf ----------------------------------- A buffer-overflow vulnerability is located in the function which builds the error messages for the problems happened during the parsing of the WRL file. From Scene.cpp: void Scene::errorf(const char *fmt, ...) { va_list ap; char buf[1024], buf2[1024]; const char *url = ""; va_start(ap, fmt); vsprintf(buf, fmt, ap); if (TheApp->getImportURL() != NULL) url = TheApp->getImportURL(); mysnprintf(buf2, 1024, "%s %d: %s", url, lineno, buf); _compileErrors += buf2; } ------------------------------ B] format string in ImportFile ------------------------------ Another problem related to the handling of the errors. After the building of the error message the parse() function returns immediately and swDebugf() is called for visualizing it to stderr or to the debugger without using the needed format argument required by the function. From DuneApp.cpp: DuneApp::ImportFile(const char *openpath, Scene* scene, bool protoLibrary, Node *node, int field) ... if (errors[0]) { swMessageBox(_mainWnd, errors, "Parse Errors", SW_MB_OK, SW_MB_WARNING); swDebugf(errors); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/whitedunboffs.zip ####################################################################### ====== 4) Fix ====== Version 0.29beta795 ####################################################################### --- Luigi Auriemma http://aluigi.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top