Search This Blog

Showing posts with label stack based buffer overflow. Show all posts

Stack Buffer overflow vulnerability in X Windows, affects Linux

A Stack based buffer overflow vulnerability(CVE-2013-6462) has been identified in the X Windows System affecting all UNIX-like operating systems.

According to advisory, BDF font file containing a longer than expected string could overflow the buffer on the stack.  Testing in X servers built with Stack Protector resulted in an immediate crash when reading a user-provided specially crafted font.

The vulnerability exists in the "lib/libXfont/src/bitmap/bdfread.c".  The libXfont is used to read user-specified font files in all X servers.
Vulnerable Code:
char charName[100];
int ignore;
if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
As you can see in the above code that the 'charName' variable is declared with length of 100 bytes, it can store a string consisting of up to 100 characters.

Sscanf function fails to validate the number of characters getting from the input.  So, an attacker can pass more than 100 characters that leads to stack buffer overflow.

A successful exploitation allows attacker to run his own code in the system.  Since Xorg server is usually run with root privilege, an attacker is able to run the code with root privileges.

The bug is fixed by limiting the number of characters getting from the user.

if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {

Canonical has provided a security fix for the Ubuntu Distro. To update your system, please follow these instructions:

Local Stack buffer overflow Vulnerability in Quickheal antivirus

A Security researcher from Vulnerability Lab has discovered a local stack buffer overflow vulnerability in the QuickHeal AntiVirus (b2.0.0.1) Pro software.
Researcher says improper handling of buffers in the 'pepoly.dll' module on certain conditions leads to a stack overflow.  Disabling the Core scanning server service could trigger the vulnerable point and crash the system.

"The vulnerability is located in the generated PE file `*.text` value. It can be overflowed by manipulating import of a malicious PE file.The issue is a classic (uni-code) stack buffer overflow"

A local attacker with low privilege can exploit this vulnerability to take control of the system or simply crash the quickheal software system process.  The security risk of this vulnerability has been estimated as medium.

Researcher also provided a solution to fix the vulnerability: "It can be patched by a secure filter and size restriction of the PE file name text flag".

The proof of concept is available here.

Zero-day vulnerabilities in MySQL database allows hackers to crash the service

Multiple zero-day vulnerabilities have been discovered in the popular database software MySQL that could allow hackers to crash the service,  deny access to users, privilege escalation and authentication bypass.

There are five zero-day vulnerabilities. According to report, one was recognised as a duplicate of an existing flaw and another a misconfiguration.

Common Vulnerabilities and Exposures (CVE) identifiers assigned to the issues to track them:

  • CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
  • CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
  • CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
  • CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
  • CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday

Security researcher Eric Romang has posted a video demonstrating how misconfigured servers are vulnerable in his blog.

Similar issues were also disclosed involving Communications' Tectia SSH Server, which was also determined to be vulnerable to authentication bypass.