COMMAND
compress
SYSTEMS AFFECTED
SuSE 6.2
PROBLEM
Way back in August of 1998 H D Moore posted a message to the
Bugtraq list about a handful of buffer overflows in various
utilities that shipped with SuSE Linux 6.2. It seems that after
a year and half a few of these bugs STILL exist. None of these
utilities are harmful by themselves, just they may open a security
hole when called by a priviledged program (see compress below).
The original message can be found here:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-29&msg=35EE534C.B0031C53@usa.net
compress version 2.4.2 (compiled August 98 under RedHat 6.1 / July
99 SuSE 6.2) buffer overflow in file name. NOT setu/gid or
anything, but this is the SAME compress used by the ftpd in both
RedHat 6.1 AND SuSE 6.2 in other words: write a file whose path is
longer than the buffer limit, then request thatfile.Z and you have
stack space in a root process. Someone want to whip up a quick
exploit? Note: FTP daemon may restrict path lengths, any other
ideas for exploiting this?
Example: (on SuSE 6.2)
loki:/tmp $ compress -V
Compress version: (N)compress 4.2.4, compiled: Thu Jul 22 23:01:15 GMT
1999
Compile options:
USE_BYTEORDER, FAST, DIRENT, LSTAT,
REGISTERS=20 IBUFSIZ=1024, OBUFSIZ=1024, BITS=16
Author version 4.2 (Speed improvement & source cleanup):
Peter Jannesen (peter@ncs.nl)
Author version 4.1 (Added recursive directory compress):
Dave Mack (csu@alembic.acs.com)
Authors version 4.0 (World release in 1985):
Spencer W. Thomas, Jim McKie, Steve Davies,
Ken Turkowski, James A. Woods, Joe Orost
loki:/tmp $ compress `perl -e 'print "A" x 1023'`
AAA...AAA: File name too long
loki:/tmp $ compress `perl -e 'print "A" x 1024'`
AAA...AAA: File name too long
Segmentation Fault
loki:/tmp $ compress `perl -e 'print "A" x 1173'`
Segmentation Fault
Same goes for lha.
lha version 1.2 (never was updated)
segfaults start at 19107 characters on SuSE 6.2 AND RedHat 6.1
SOLUTION
Nothing yet.