Original PoC (http://en.securitylab.ru/poc/extra/382563.php)
# [*] Autore: ANTHRAX666 <firstname.lastname@example.org>
# [+] StackBased OverFlow In set_page_size()
# [/] EIPregister Is Raped By Us So Not Just Krash
On milw0rm ($URL)
# htmldoc 126.96.36.199 (.html) Universal Stack Overflow Exploit
# By ksa04
420 set_page_size(const char *size) /* I - Page size string */
424 char units; /* Units string */
487 else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
Created attachment 198347 [details, diff]
Quick patch that should fix this issue. Comments?
From Secunia (http://secunia.com/advisories/35780/):
ANTHRAX666 has discovered a vulnerability in HTMLDOC, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an unsafe call to "sscanf()" in the "set_page_size()" function in htmldoc/util.cxx. This can be exploited to cause a stack-based buffer overflow when an HTML document containing e.g. a specially crafted "MEDIA SIZE" comment is being processed.
The vulnerability is confirmed in version 1.8.27. Other versions may also be affected.
2 symbols are enough. units may contain values: "mm", "cm", "in" (any other value == "px")
- else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
+ else if (sscanf(size, "%fx%f%2s", &width, &length, units) >= 2)
Mh, true. I have included this question in the upstream bug report.
Filed upstream as: http://www.htmldoc.org/str.php?L214
nion of Debian found two more insecure calls:
2142 if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
12515 if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
I tried to reproduce it and was able to cause a buffer overflow by supplying a crafted AFM font file with an overly long glyph name.
Created attachment 199846 [details, diff]
Upstream won't include the fix until 1.9 is released, so Carlo, please apply the patch.
Arches, please test and mark stable:
Target keywords : "alpha amd64 ia64 ppc sparc x86"
23 Aug 2009; Alex Legler <email@example.com> htmldoc-1.8.27-r1.ebuild:
amd64 stable, security bug 278186.
GLSA draft filed.
Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
1.8.27 and earlier allows context-dependent attackers to execute
arbitrary code via a long MEDIA SIZE comment. NOTE: it was later
reported that there were additional vectors in htmllib.cxx and
ps-pdf.cxx using an AFM font file with a long glyph name, but these
vectors do not cross privilege boundaries.