![[LWN Logo]](/images/lwn.banner.gif)
Date: Tue, 2 Nov 1999 22:39:56 +0900
From: UNYUN <shadowpenguin@BACKSECTION.NET>
Subject: Some holes for Win/UNIX softwares
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
We found security problems on some softwares for UNIX and Windows9*/NT.
This is a detailed report about such security problems.
The following problems are from the posts of BUGTRAQ-JP (they are
written in Japanese), but there are some requests, so I post to BUGTRAQ.
vender software version exploitabled
-----------------------------------------------------------
1 YAMAHA YAMAHA MidiPlug 1.10b IE4/5 Windows98J
2 BTD STUDIO ZOM-MAIL 1.09 Windows98J
3 AN-HTTPd 1.20b Windows98J
4 IBM HomePagePrint 1.0.7 Windows98J
5 uum 4.2 Turbo Linux3J
6 canuum 3.5b2 Turbo Linux3J
(1) YAMAHA MidiPlug 1.10b
Problem:
Midi-Plugin program "YAMAHA MidiPlug 1.10b-j" for Windows IE4/5
contains the buffer overflow bug. If the long "TEXT" variable is
specified in EMBED tag, the buffer overflow occurs. If attacker sets the
exploit on the webpage, visitor's host will be cracked by the any
instructions written in the "TEXT" variable.
Solution:
If the check of "execution of active X controle and plugin" is turned to
"invalid", you can avoid this problem. "Display dialog box mode" is also
vulnerable. The overflow occurs without the dialog box warning, if the
opening file is stored in local disk and it is opened.
Exploit:
http://shadowpenguin.backsection.net/toolbox.html#no051
This exploit generates a html file that contains the exploit. The html
file executes "c:\windows\welcome.exe" on the victim host. This is
tested on Windows98(Japanese).
(2) BTD STUDIO ZOM-MAIL 1.09
Problem:
Internet Mailer "ZOM-MAIL 1.09" for Windows contains the buffer overflow
bug. If the long attachment file name is contained in the recived mail, the
buffer overflow occurs when ZOM-MAIL pops such mail from pop server. If
attacker sets the exploit in the filename, user's host will be cracked
by the any instructions written in the filename area.
Solution:
Before you pop your mail by ZOM-MAIL, you check your mail by using other
mailer that don't contain same bug.
Exploit:
http://shadowpenguin.backsection.net/toolbox.html#no050
This exploit removes a file "c:\\windows\\test.txt". This is tested on
Windows98(Japanese)
(3) AN-HTTPd 1.20b
Problem:
The test CGIs which are distributed with AN-HTTPd 1.20b contain the
remote command execution problem.
Solution:
[1] remove the following test CGIs.
cgi-bin/test.bat
cgi-bin/input.bat
cgi-bin/input2.bat
ssi/envout.bat
[2] Ver1.21 has been released at the official site.
http://www.st.rim.or.jp/~nakata/
Exploit:
(example)
http://www.xxx.yy/cgi-bin/input.bat?|dir..\..\windows
(4) IBM HomePagePrint 1.0.7
Problem:
Web page printout software "IBM HomePagePrint 1.0.7" contains the buffer
overflow bug. If the long string is specified in IMG_SRC tag, the buffer
overflow occurs. If attacker sets the exploit on the webpage, visitor's
host will be cracked by the any instructions written in the IMG_SRC tag.
Solution:
Patch can be download at:
http://www.ibm.co.jp/software/internet/hpgprt/down2.html
Exploit:
http://shadowpenguin.backsection.net/toolbox.html#no045
This exploit execute "c:\windows\notepad.exe" on the victim host. This
is tested on Windows98(Japanese).
(5) uum
Problem:
This is a suid program which is installed many kind of UNIXs for Japanese
edition with default. It overflows if the long argment is specified with
-D option, the local user can obtain root privilege.
Exploit:
http://shadowpenguin.backsection.net/toolbox.html#no046
This exploit is for Turbo Linux3, the local user can obtain a root
privilege. We also confirmed this overflow on the following UNIXs.
Solaris 2.6,2.7, IRIX 5.3,6.2,6.3,6.4,6.5
(uum is installed with default)
In other case, we can not check.
(6) canuum
Problem:
This is a suid program which is installed some Linux distributions for
Japanese edition with default. It overflows if the long argment is
specified with some option specifications such as -k,-c,-n, the local
user can obtain root privilege.
Exploit:
http://shadowpenguin.backsection.net/toolbox.html#no047
This exploit is for Turbo Linux3, the local user can obtain a root
privilege.
-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
shadowpenguin@backsection.net (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
unyun@eEye.com