<<< Date Index >>>     <<< Thread Index >>>

GNU/Linux 'info Buffer Overflow




Package: info
Version: 4.7-2.1
Severity: grave
Tags: security
Justification: user security hole



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=C, LC_CTYPE=C

Versions of packages info depends on:
ii  libc6                       2.3.2.ds1-15 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand

-- no debconf information

Information:
I have tested several versions (Debian stable, unstable and testing) and
have found that this bug exists in all versions tested. I have included
a small --restore script that can be used to leverage a simple Seg fault.
This buffer overflow is very trivial to leverage as there are several
bytes available (10-15+).  It may be possible that arbitary system calls
could be made though this hole. It is also possible to leverage this
from the command line using the --restore=FILENAME flag, and need not
have the program running.  Although it is not running as suid, or as a
daemon, in a case where info is being used as a public service, it may
be a security problem. This bug seems only to be accessable where the
file has xrefs available.

Walkthrough:
        $ info info
        [info screen comes up]
        press 'g'
        [Goto Node:]
        type 'Expert Info' <enter>

        (OR any other way to get to a page with xrefs)

        press 'f'
        Type in 225 or more bytes and press enter.
        SEG FAULT!

Example File:
        The following can be saved to a file and called as:  
        info info  --restore=info.bug to create a segmentation fault.

        [START info.bug]
        gExpert Info
        
fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

        [END info.bug]