Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Jun 2015 20:25:37 +0200
From: Hanno Böck <hanno@...eck.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Stack out of bounds read access in uudecode
 / sharutils

Hi CVE-team,

On Tue,  2 Jun 2015 22:35:02 -0400 (EDT)
cve-assign@...re.org wrote:

> What are the realistic scenarios in which this has a security impact?
> 
> For example, can any of these occur on actual systems?
> 
> 1. The attacker e-mails a uuencoded file to their own mailbox on a
> web-based mail service. This service has a feature in which decoded
> data is presented to the recipient. (The server operates on the data
> with the uudecode program, not with any other implementation of the
> uudecode algorithm. The attacker gains read access to unintended parts
> of the server's memory.)
> 
> 2. A web site allows users to do HTTP uploads of data in uuencoded
> format, and supports requests for decoded versions of the data. Same
> parenthesized description as above.
> 
> 3. The attacker composes a news article with crafted uuencoded data
> and posts it to the alt.sources Usenet newsgroup. The attacker is
> subscribed to this newsgroup in their own account on a web-based
> Usenet news reading service. Same parenthesized description as above.

To answer these questions to the best of my knowledge: I don't know.

This is a question I think I can answer in a very general fashion. I
find and report these out of bounds vulns very often. I can
confirm that in your described scenarios an attacker could trigger an
out of bounds read. If that can in anyway be used to exfiltrate data or
other attacks: I don't know. In this case it's probably unlikely,
because as you can see the oob read is just one byte.

Analyzing the impact of these kinds of vulns would require digging and
understanding the code in detail by someone skilled in memory
corruption exploitation (that means: not me).

What I can say is that many very similar issues I reported in the past
got CVEs (lately e.g. in wireshark and curl). And there'll probably be
a lot more in the near future. I started trying to write up reports for
all issues of these kinds I reported once they got fixed.

If you prefere not to be bothered about out of bounds issues with
unknown impact any more I am fine with that and will stop cc-ing. Also
- if the people on oss-security feel that my reports on these
minor issues are too frequently please tell me and I'll stop sending
them. But in the past I had the impression it's apprechiated and solar
designer wants as much info as possible in the oss-security archives
in case external sources vanish.


cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.