From djb@cr.yp.to Wed Dec 15 14:20:49 2004
Date: 15 Dec 2004 08:16:04 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, di77ihd@users.sourceforge.net
Subject: [remote] [control] jpegtoavi 1.5 get_file_list_stdin overflows fn
    buffer

James Longstreet, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in jpegtoavi. I'm
publishing this notice, but all the discovery credits should be assigned
to Longstreet.

You are at risk if you take jpegtoavi input---a set of JPEG files and a
file listing the names of the JPEG files---from an email message (or a
web page or any other source that could be controlled by an attacker).
Whoever provides that input then has complete control over your account:
he can read and modify your files, watch the programs you're running,
etc.

Of course, when you accept a list of input filenames from someone else,
you are running the risk that those filenames include some of your
files, so that the jpegtoavi output will include some of your files
(maybe secret pictures). But the jpegtoavi documentation does not
suggest that there is any larger risk.

Proof of concept: On an x86 computer running Linux with gcc 2.95.4, type

   wget http://umn.dl.sourceforge.net/sourceforge/jpegtoavi/jpegtoavi-1.5.tar.gz
   gunzip < jpegtoavi-1.5.tar.gz | tar -xf -
   cd jpegtoavi-1.5
   make

to download and compile the jpegtoavi program. Then save the file
10.list attached to this message, and type

   ./jpegtoavi -f 1 640 480 < 10.list

with the unauthorized result that a directory named ``hacked'' is
created inside the current directory.

Here's the bug: In jpegtoavi.c, get_file_list_stdin() uses an
unprotected %s scanf to read any number of bytes into an fn[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/PLAIN (charset: unknown-8bit)  95 lines. ]
    [ Unable to print this part. ]