|
|
|
|
| |
| "CHMLIB is a library for dealing with Microsoft ITSS/CHM format files. " The chmlib library does not validate the length of buffers it receives, allowing attackers to cause it to overflow internal buffers and as a result execute arbitrary code. |
| |
Credit:
The information has been provided by iDEFENSE Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=332&type=vulnerabilities
|
| |
Vulnerable Systems:
* chmlib version 0.35
Immune Systems:
* chmlib version 0.36 and above
Remote exploitation of a stack overflow vulnerability in chmlib as included in various Linux distributions allows attackers to execute arbitrary code.
The vulnerability specifically exists due to an unchecked memory copy while processing a CHM file.
The vulnerability exists in the following code, which is found in chm_lib.c:
static UChar *_chm_find_in_PMGL(UChar *page_buf, Uint32 block_len, const char *objPath)
{
[...]
char buffer[CHM_MAX_PATHLEN+1];
/* figure out where to start and end */
cur = page_buf;
hremain = _CHM_PMGL_LEN;
if (! _unmarshal_pmgl_header(&cur, &hremain, &header))
return NULL;
end = page_buf + block_len - (header.free_space);
/* now, scan progressively */
while (cur < end)
{
/* grab the name */
temp = cur;
strLen = _chm_parse_cword(&cur);
if (! _chm_parse_UTF8(&cur, strLen, buffer))
return NULL;
[..]
_chm_parse_cword can be forced to return a value larger than CHM_MAX_PATHLEN. This value is then used while copying user controlled data into a CHM_MAX_PATHLEN sized stack buffer. This allows the attacker full control over execution flow by overwriting the saved return address on the stack.
Exploitation could allow attackers to execute arbitrary code with the privileges of the user processing the CHM file. Remote exploitation can be achieved by sending a malicious file in an e-mail message to the target user.
CVE Information:
CAN-2005-2930
Disclosure Timeline:
09/08/2005 - Initial vendor notification
09/09/2005 - Initial vendor response
10/28/2005 - Public disclosure
|
|
|
|
|
