Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150603184335.GM1154@jsmith.wvn.wvnet.edu>
Date: Wed, 3 Jun 2015 14:43:35 -0400
From: Joshua Smith <jsmith@...l.wvnet.edu>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Stack out of bounds read access in uudecode /
 sharutils

On Wed, Jun 03, 2015 at 08:25:37PM +0200, Hanno Böck wrote:
> Hi CVE-team,
> 
> On Tue,  2 Jun 2015 22:35:02 -0400 (EDT)
> cve-assign@...re.org wrote:
> 
> > What are the realistic scenarios in which this has a security impact?
> > 
> > For example, can any of these occur on actual systems?
> > 
> > 1. The attacker e-mails a uuencoded file to their own mailbox on a
> > web-based mail service. This service has a feature in which decoded
> > data is presented to the recipient. (The server operates on the data
> > with the uudecode program, not with any other implementation of the
> > uudecode algorithm. The attacker gains read access to unintended parts
> > of the server's memory.)
> > 
> > 2. A web site allows users to do HTTP uploads of data in uuencoded
> > format, and supports requests for decoded versions of the data. Same
> > parenthesized description as above.
> > 
> > 3. The attacker composes a news article with crafted uuencoded data
> > and posts it to the alt.sources Usenet newsgroup. The attacker is
> > subscribed to this newsgroup in their own account on a web-based
> > Usenet news reading service. Same parenthesized description as above.
> 
> To answer these questions to the best of my knowledge: I don't know.
> 
> This is a question I think I can answer in a very general fashion. I
> find and report these out of bounds vulns very often. I can
> confirm that in your described scenarios an attacker could trigger an
> out of bounds read. If that can in anyway be used to exfiltrate data or
> other attacks: I don't know. In this case it's probably unlikely,
> because as you can see the oob read is just one byte.
> 
> Analyzing the impact of these kinds of vulns would require digging and
> understanding the code in detail by someone skilled in memory
> corruption exploitation (that means: not me).
> 
> What I can say is that many very similar issues I reported in the past
> got CVEs (lately e.g. in wireshark and curl). And there'll probably be
> a lot more in the near future. I started trying to write up reports for
> all issues of these kinds I reported once they got fixed.
> 
> If you prefere not to be bothered about out of bounds issues with
> unknown impact any more I am fine with that and will stop cc-ing. Also
> - if the people on oss-security feel that my reports on these
> minor issues are too frequently please tell me and I'll stop sending
> them. But in the past I had the impression it's apprechiated and solar
> designer wants as much info as possible in the oss-security archives
> in case external sources vanish.
> 
> 
> cu,
> -- 
> Hanno Böck
> http://hboeck.de/
> 
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42

Not that my opinion matters but I enjoy reading your posts on this and
similar vulnerabilities you have discovered.



-- 
Joshua Smith
Lead Systems Administrator WVNET

Montani Semper Liberi

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.