From djb@cr.yp.to Wed Dec 15 14:22:40 2004 Date: 15 Dec 2004 08:28:20 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, jacobrhoden@users.sourceforge.net Subject: [remote] [control] csv2xml 0.5.1 get_field_headers overflows token Limin Wang, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in csv2xml. I'm publishing this notice, but all the discovery credits should be assigned to Wang. You are at risk if you take a CSV file from an email message (or a web page or any other source that could be controlled by an attacker) and feed that document through csv2xml -m=2. (The csv2xml documentation does not tell users to avoid taking input from the network.) Whoever provides that document then has complete control over your account: she can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, type wget http://umn.dl.sourceforge.net/sourceforge/csv2xml/csv2xml-0.5.1.tar.gz gunzip < csv2xml-0.5.1.tar.gz | tar -xf - cd csv2xml-0.5.1 make to download and compile the csv2xml program, version 0.5.1 (current). Then save the file 53.csv attached to this message, and type src/csv2xml -m=2 < 53.csv > 53.xml with the unauthorized result that a file named x is removed from the current directory. (I tested this with a 449-byte environment, as reported by printenv | wc -c.) Here's the bug: In csv2xml.cpp, get_field_headers() uses get_csv_token() to read any number of bytes into a 1001-byte token[] array. This can be blamed on get_csv_token(), which has a fundamentally broken gets()-style interface. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 16 lines. ] [ Unable to print this part. ]