Date: Tue, 2 Nov 1999 22:39:56 +0900 From: UNYUN <shadowpenguin@BACKSECTION.NET> Subject: Some holes for Win/UNIX softwares To: BUGTRAQ@SECURITYFOCUS.COM Hello, We found security problems on some softwares for UNIX and Windows9*/NT. This is a detailed report about such security problems. The following problems are from the posts of BUGTRAQ-JP (they are written in Japanese), but there are some requests, so I post to BUGTRAQ. vender software version exploitabled ----------------------------------------------------------- 1 YAMAHA YAMAHA MidiPlug 1.10b IE4/5 Windows98J 2 BTD STUDIO ZOM-MAIL 1.09 Windows98J 3 AN-HTTPd 1.20b Windows98J 4 IBM HomePagePrint 1.0.7 Windows98J 5 uum 4.2 Turbo Linux3J 6 canuum 3.5b2 Turbo Linux3J (1) YAMAHA MidiPlug 1.10b Problem: Midi-Plugin program "YAMAHA MidiPlug 1.10b-j" for Windows IE4/5 contains the buffer overflow bug. If the long "TEXT" variable is specified in EMBED tag, the buffer overflow occurs. If attacker sets the exploit on the webpage, visitor's host will be cracked by the any instructions written in the "TEXT" variable. Solution: If the check of "execution of active X controle and plugin" is turned to "invalid", you can avoid this problem. "Display dialog box mode" is also vulnerable. The overflow occurs without the dialog box warning, if the opening file is stored in local disk and it is opened. Exploit: http://shadowpenguin.backsection.net/toolbox.html#no051 This exploit generates a html file that contains the exploit. The html file executes "c:\windows\welcome.exe" on the victim host. This is tested on Windows98(Japanese). (2) BTD STUDIO ZOM-MAIL 1.09 Problem: Internet Mailer "ZOM-MAIL 1.09" for Windows contains the buffer overflow bug. If the long attachment file name is contained in the recived mail, the buffer overflow occurs when ZOM-MAIL pops such mail from pop server. If attacker sets the exploit in the filename, user's host will be cracked by the any instructions written in the filename area. Solution: Before you pop your mail by ZOM-MAIL, you check your mail by using other mailer that don't contain same bug. Exploit: http://shadowpenguin.backsection.net/toolbox.html#no050 This exploit removes a file "c:\\windows\\test.txt". This is tested on Windows98(Japanese) (3) AN-HTTPd 1.20b Problem: The test CGIs which are distributed with AN-HTTPd 1.20b contain the remote command execution problem. Solution: [1] remove the following test CGIs. cgi-bin/test.bat cgi-bin/input.bat cgi-bin/input2.bat ssi/envout.bat [2] Ver1.21 has been released at the official site. http://www.st.rim.or.jp/~nakata/ Exploit: (example) http://www.xxx.yy/cgi-bin/input.bat?|dir..\..\windows (4) IBM HomePagePrint 1.0.7 Problem: Web page printout software "IBM HomePagePrint 1.0.7" contains the buffer overflow bug. If the long string is specified in IMG_SRC tag, the buffer overflow occurs. If attacker sets the exploit on the webpage, visitor's host will be cracked by the any instructions written in the IMG_SRC tag. Solution: Patch can be download at: http://www.ibm.co.jp/software/internet/hpgprt/down2.html Exploit: http://shadowpenguin.backsection.net/toolbox.html#no045 This exploit execute "c:\windows\notepad.exe" on the victim host. This is tested on Windows98(Japanese). (5) uum Problem: This is a suid program which is installed many kind of UNIXs for Japanese edition with default. It overflows if the long argment is specified with -D option, the local user can obtain root privilege. Exploit: http://shadowpenguin.backsection.net/toolbox.html#no046 This exploit is for Turbo Linux3, the local user can obtain a root privilege. We also confirmed this overflow on the following UNIXs. Solaris 2.6,2.7, IRIX 5.3,6.2,6.3,6.4,6.5 (uum is installed with default) In other case, we can not check. (6) canuum Problem: This is a suid program which is installed some Linux distributions for Japanese edition with default. It overflows if the long argment is specified with some option specifications such as -k,-c,-n, the local user can obtain root privilege. Exploit: http://shadowpenguin.backsection.net/toolbox.html#no047 This exploit is for Turbo Linux3, the local user can obtain a root privilege. ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (webmaster) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com