DJB's students release 44 *nix software vulnerability advisories

2004-12-16T00:00:00
ID SECURITYVULNS:DOC:7361
Type securityvulns
Reporter Securityvulns
Modified 2004-12-16T00:00:00

Description

Widely deployed open source software is commonly believed to contain fewer security vulnerabilities than similar closed source software due to the possibility of unrestricted third party source code auditing. Predictably, most users of open source software do not invest a significant amount of time to audit the applications they use and now a class of 25 students has discovered 44 vulnerabilities during a CS course.

This small group of students highlights how individuals outside the security industry without special security prerequisites can still manage to outperform the average Bugtraq poster in sheer quantity of discoveries. This adequately validates the typical estimate of between 5 and 15 errors in every thousand lines of code.

D.J. Bernstein (http://cr.yp.to/djb.html) is lecturing a course this fall at the University of Illinois at Chicago called "MCS 494: Unix Security Holes" (http://cr.yp.to/2004-494.html). One of the requirements to pass the course was to find and exploit 10 previously undiscovered security holes in currently deployed Unix software.

With a class of 25 students discovering 44 vulnerabilities most students now expect to fail the course (http://it.slashdot.org/article.pl?sid=04/12/15/2113202).

The 44 security advisories have been published at

http://tigger.uic.edu/~jlongs2/holes/

Ariel Berkman has discovered a remotely exploitable security hole in 2fax, a text-to-TIFF converter. [remote] [control] 2fax 3.04 expandtabs overflows s buffer http://tigger.uic.edu/~jlongs2/holes/2fax.txt

Limin Wang has discovered two remotely exploitable security holes in abc2midi. [remote] [control] abc2midi 2004.12.04 event_text overflows msg buffer; event_specific overflows msg buffer http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt

Limin Wang has discovered a remotely exploitable security hole in abc2mtex. [remote] [control] abc2mtex 1.6.1 process_abc overflows key buffer http://tigger.uic.edu/~jlongs2/holes/abc2mtex.txt

Limin Wang has discovered a remotely exploitable security hole in abcm2ps. [remote] [control] abcm2ps 3.7.20 put_words overflows str buffer http://tigger.uic.edu/~jlongs2/holes/abcm2ps.txt

Yosef Klein has discovered a remotely exploitable security hole in abcpp. [remote] [control] abcpp 1.3.0 process_directive overflows token buffer http://tigger.uic.edu/~jlongs2/holes/abcpp.txt

Limin Wang has discovered two remotely exploitable security holes in abctab2ps. [remote] [control] abctab2ps 1.6.3 write_heading overflows t; trim_title overflows rest http://tigger.uic.edu/~jlongs2/holes/abctab2ps.txt

Qiao Zhang has discovered two remotely exploitable security holes in asp2php. [remote] [control] asp2php 0.76.23 preparse() overflows token buffer; preparse() overflows temp buffer http://tigger.uic.edu/~jlongs2/holes/asp2php.txt

James Longstreet and Tom Indelli have discovered a remotely exploitable security hole in bsb2ppm, a program to convert BSB image files to PPM image files. [remote] [control] bsb2ppm 0.0.6 overflows line buffer http://tigger.uic.edu/~jlongs2/holes/bsb2ppm.txt

Ariel Berkman has discovered a locally exploitable security hole in ChangePassword, a YP/Samba/Squid password-changing tool. [local] [control] ChangePassword 0.8 runs setuid shell http://tigger.uic.edu/~jlongs2/holes/changepassword.txt

Danny Lungstrom has discovered a remotely exploitable security hole in ChBg, a tool to change background pictures. [remote] [control] chbg 1.5 simplify_path overflows res buffer http://tigger.uic.edu/~jlongs2/holes/chbg.txt

Ariel Berkman has discovered a remotely exploitable security hole in Convex 3D. [remote] [control] Convex 3D 0.8pre1 readObjectChunk overflows objectname buffer http://tigger.uic.edu/~jlongs2/holes/convex3d.txt

Limin Wang has discovered a remotely exploitable security hole in csv2xml. [remote] [control] csv2xml 0.5.1 get_field_headers overflows token http://tigger.uic.edu/~jlongs2/holes/csv2xml.txt

Ariel Berkman has discovered a remotely exploitable security hole in CUPS. [remote] [control] CUPS 1.1.22 hpgltops ParseCommand overflows buf http://tigger.uic.edu/~jlongs2/holes/cups.txt

Bartlomiej Sieka has discovered several security problems in how lppasswd, version 1.1.22 (current), edits /usr/local/etc/cups/passwd. [local] [kill] CUPS 1.1.22 lppasswd ignores write errors, etc. http://tigger.uic.edu/~jlongs2/holes/cups2.txt

Ariel Berkman has discovered a remotely exploitable security hole in dxfscope, a viewer for DXF drawings. [remote] [control] dxfscope 0.2 overflows ent_name buffer http://tigger.uic.edu/~jlongs2/holes/dxfscope.txt

Ariel Berkman has discovered a remotely exploitable security hole in the elm/bolthole filter program. [remote] [control] elm/bolthole filter 2.6.1 save_embedded_address overflows address buffer http://tigger.uic.edu/~jlongs2/holes/elm-bolthole-filter.txt

Manigandan Radhakrishnan has discovered two remotely exploitable security holes in ``Get and Resume Elite Edition'' (greed), an FTP/HTTP downloading tool. [remote] [control] greed 0.81p DownloadLoop overflows COMMAND; DownloadLoop does not check for nasty characters http://tigger.uic.edu/~jlongs2/holes/greed.txt

Wiktor Kopec and Matthew Dabrowski have discovered a remotely exploitable security hole in html2hdml. [remote] [control] html2hdml 1.0.3 remove_quote overflows print_buf buffer http://tigger.uic.edu/~jlongs2/holes/html2hdml.txt

Manigandan Radhakrishnan has discovered a locally exploitable security hole in IglooFTP, at least version 0.6.1 (the current version in FreeBSD ports). [local] [control] IglooFTP 0.6.1 uses fopen in /tmp http://tigger.uic.edu/~jlongs2/holes/iglooftp.txt

Yosef Klein has discovered a remotely exploitable security hole in IglooFTP, at least version 0.6.1 (the current version in FreeBSD ports). [remote] [control] IglooFTP 0.6.1 does not check for directory escapes http://tigger.uic.edu/~jlongs2/holes/iglooftp2.txt

Tom Palarz and Limin Wang have discovered a remotely exploitable security hole in jcabc2ps. [remote] [control] jcabc2ps switch_voice() overflows t1 buffer http://tigger.uic.edu/~jlongs2/holes/jcabc2ps.txt

James Longstreet has discovered a remotely exploitable security hole in jpegtoavi. [remote] [control] jpegtoavi 1.5 get_file_list_stdin overflows fn buffer http://tigger.uic.edu/~jlongs2/holes/jpegtoavi.txt

Yosef Klein has discovered two remotely exploitable security holes in junkie, an FTP client, version 0.3.1 (current). [remote] [control] junkie 0.3.1 gui_popup_view_fly does not check for nasty characters; ftp_retr does not check for directory escapes http://tigger.uic.edu/~jlongs2/holes/junkie.txt

Stephen Dranger has discovered a remotely exploitable security hole in LinPopUp, an instant-messaging tool [remote] [control] LinPopUp 1.2.0 overflows sub_string buffer http://tigger.uic.edu/~jlongs2/holes/linpopup.txt

Mohammed Khan and Danny Lungstrom have discovered a remotely exploitable security hole in Mesh Viewer. [remote] [control] Mesh Viewer 0.2.2 Mesh::type overflows s1 buffer http://tigger.uic.edu/~jlongs2/holes/meshviewer.txt

Bartlomiej Sieka has discovered a remotely exploitable security hole in mpg123. [remote] [control] mpg123 0.59r find_next_file overflows linetmp buffer http://tigger.uic.edu/~jlongs2/holes/mpg123.txt

Ariel Berkman has discovered a remotely exploitable security hole in MPlayer. [remote] [control] MPlayer 1.0pre5 get_header overflows data buffer http://tigger.uic.edu/~jlongs2/holes/mplayer.txt

Bartlomiej Sieka has discovered a remotely exploitable security hole in NapShare, at least version 1.2 (the current version in FreeBSD ports). [remote] [control] NapShare 1.2 auto_filter_extern overflows filename buffer http://tigger.uic.edu/~jlongs2/holes/napshare.txt

Jonathan Rockway has discovered a remotely exploitable security hole in NASM. [remote] [control] NASM 0.98.38 error() overflows buff[] http://tigger.uic.edu/~jlongs2/holes/nasm.txt

Wiktor Kopec has discovered a remotely exploitable security hole in o3read, a converter for SXW files. [remote] [control] o3read 0.0.3 parse_html overflows t buffer http://tigger.uic.edu/~jlongs2/holes/o3read.txt

Danny Lungstrom has discovered two remotely exploitable security holes in pcal. [remote] [control] pcal 4.7.1 getline overflows tmpbuf; get_holiday overflows tmp http://tigger.uic.edu/~jlongs2/holes/pcal.txt

Tom Palarz and Kris Kubicki have discovered a remotely exploitable security hole in pgn2web, a converter from PGN-format chess games to web pages. [remote] [control] pgn2web 0.3 process_moves overflows token buffer http://tigger.uic.edu/~jlongs2/holes/pgn2web.txt

Jonathan Rockway has discovered that qwik-smtpd, version 0.3, allows spammers to freely relay mail. [remote] [exhaust] qwik-smtpd overflows clientHelo buffer http://tigger.uic.edu/~jlongs2/holes/qwik-smtpd.txt

Qiao Zhang has discovered a remotely exploitable security hole in ringtonetools. [remote] [control] ringtonetools 2.22 parse_emelody overflows song buffer http://tigger.uic.edu/~jlongs2/holes/ringtonetools.txt

Limin Wang has discovered a remotely exploitable security hole in rtf2latex2e. [remote] [control] rtf2latex2e 1.0fc2 ReadFontTbl overflows buffer http://tigger.uic.edu/~jlongs2/holes/rtf2latex2e.txt

Yosef Klein has discovered a remotely exploitable security hole in tnftp, an FTP client, version 20030825 (current at least in FreeBSD ports). [remote] [control] tnftp 20030825 does not check for directory escapes http://tigger.uic.edu/~jlongs2/holes/tnftp.txt

Danny Lungstrom has discovered that uml_net allows local users to take down the computer's Ethernet connection. [local] [kill] uml-utilities 20030903 uml_net slip_down() fails to check permissions http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt

Yosef Klein and Limin Wang have discovered a remotely exploitable security hole in unrtf. [remote] [control] unrtf 0.19.3 process_font_table overflows name buffer http://tigger.uic.edu/~jlongs2/holes/unrtf.txt

Qiao Zhang has discovered a remotely exploitable security hole in vb2c. [remote] [control] vb2c 0.02 parse_sub overflows token buffer http://tigger.uic.edu/~jlongs2/holes/vb2c.txt

Ariel Berkman has discovered a remotely exploitable security hole in vilistextum, an HTML-to-text converter. [remote] [control] vilistextum 2.6.6 get_attr overflows temp buffer http://tigger.uic.edu/~jlongs2/holes/vilistextum.txt

Ariel Berkman has discovered a remotely exploitable security hole in xine-lib. [remote] [control] xine-lib open_aiff_file overflows buffer http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt

Tom Palarz and Kris Kubicki have discovered a remotely exploitable security hole in xlreader, a program to read Excel files. [remote] [control] xlreader 0.9.0 overflows insert_start buffer http://tigger.uic.edu/~jlongs2/holes/xlreader.txt

Manigandan Radhakrishnan has discovered a remotely exploitable security hole in YAMT, an MP3-organization tool. [remote] [control] YAMT 0.5 id3tag_sort does not check for nasty characters http://tigger.uic.edu/~jlongs2/holes/yamt.txt

Ariel Berkman has discovered a remotely exploitable security hole in Yanf. [remote] [control] Yanf 0.4 get() overflows buf http://tigger.uic.edu/~jlongs2/holes/yanf.txt

Regards

Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix>