Search This Blog

Sunday, September 04, 2005

[NEWS] HOCR Local Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

HOCR Local Buffer Overflows
------------------------------------------------------------------------

SUMMARY

" <http://hocr.berlios.de/> HOCR is a Hebrew character recognition c/c++
library". Lack of proper length validation allows local attackers to cause
the HOCR to execute arbitrary code.

DETAILS

Vulnerable Systems:
* HOCR Revision 112

Immune Systems:
* HOCR Revision 124

The HOCR program demonstrates how the HOCR library can be used. The HOCR
program receives command line parameters. These command line parameters'
length is set to 255 characters, however the user provided input is
checked for its length, allowing local users to overflow the buffer
utilized and cause the program to execute arbitrary code.

Vulnerable code:
hocr-cmd.c:
..
char filename_in[255];
char filename_out[255];
char format_out[255];
..
while ((c = getopt (argc, argv, "hi:o:f:")) != EOF)
{
switch (c)
{
case 'i':
opt_i = 1;
if (optarg)
strcpy (filename_in, optarg);
break;
case 'o':
opt_o = 1;
if (optarg)
strcpy (filename_out, optarg);
break;
case 'f':
opt_f = 1;
if (optarg)
strcpy (format_out, optarg);
break;
...

Proof of Concept:
The following command line will cause the program to overflow one of its
internal buffers:
hocr -i `perl -e 'print "a" x 260;'`

Vendor Status:
The vendor has fixed the vulnerability as soon as it was contacted.

Disclosure Timeline:
03/09/2005 - Vulnerability discovered
03/09/2005 - Vendor notified and a fix was released
04/09/2005 - Public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:idok@beyondsecurity.com> Ido
Kanner.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)