From djb@cr.yp.to Wed Dec 15 14:20:44 2004 Date: 15 Dec 2004 08:15:34 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, yanf@gmx.net, sycrash@users.sourceforge.net Subject: [remote] [control] Yanf 0.4 get() overflows buf Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in Yanf. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. You are at risk if you connect to any HTTP servers using Yanf. Anyone who provides an HTTP response to Yanf (not necessarily the legitimate server administrator; an attacker can forge HTTP responses) then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp installed, save the file 9.http attached to this message, and, as root, type tcpserver 127.0.0.1 80 cat 9.http & to arrange for 9.http as the response to any connection to IP address 127.0.0.1 port 80. Then, as any user, type wget http://umn.dl.sourceforge.net/sourceforge/yanf/yanf-0.4.tar.gz gunzip < yanf-0.4.tar.gz | tar -xf - cd yanf-0.4 make to download and compile the yanf program, version 0.4 (current). Then type echo '[global]' > my.conf echo 'start = blah' >> my.conf echo '' >> my.conf echo '[Slashdot]' >> my.conf echo 'url = localhost/test.blah' >> my.conf echo 'type = slash' >> my.conf echo 'max = 10' >> my.conf echo 'output = blah' >> my.conf bin/yanf my.conf with the unauthorized result that a file named x is created (and its previous contents destroyed) in the current directory. (I tested this with a 534-byte environment, as reported by printenv | wc -c.) Here's the bug: In src/get.c, get() reads a line of any length into a 2048-byte buf[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago [ Part 2, Text/PLAIN (charset: unknown-8bit) 30 lines. ] [ Unable to print this part. ]