| 2008-08-05 05:22:42 |
Aaron Grattafiori |
description |
Binary package hint: yelp
Gnome's help program "yelp" is affected by a classic format string vulnerability
when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_dialog_format_secondary_markup()
is called without a format string.
Details:
--------
After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!)
An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which
passes the gchar string into the window_error function located at 1129 of the same file.
The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c.
The function prototype for gtk_message_dialog_format_secondary_markup is:
void gtk_message_dialog_format_secondary_markup (GtkMessageDialog *message_dialog,
const gchar *message_format,
...);
where message_format is a "printf()-style markup string".
see: http://library.gnome.org/devel/gtk/2.12/GtkMessageDialog.html#gtk-message-dialog-format-secondary-markup
Incorrect/vulnerable usage here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?revision=3145&view=markup
You can see the code was changed "cleaned up" from properly using a format string, to its removal here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?annotate=2848#l1130
PoC:
----
yelp ftp://%08x.%08x.%08x.%08x.%08x.%08x
yelp %x%x%x%x%x%x://
yelp %08x%08x
Impact:
------
Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with
the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does
not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed.
This seems like a regression in security from Firefox 2)
This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link.
Effected Versions:
---------
All newer than 2.19.90
Fix:
----------
Patch the function call to use a format string per GTK+ documentation.
Similar to the properly used call gtk_message_dialog_format_secondary_text()
at line 581 of yelp-print.c
-Aaron Grattafiori |
Binary package hint: yelp
Gnome's help program "yelp" is affected by a classic format string vulnerability
when reporting an invalid URI using a gtk_message_dialog. The function gtk_message_dialog_format_secondary_markup()
is called without a format string.
Details:
--------
After specifying an invalid URI, using ftp:// or file:// (or even no URI handler at all!)
An error message saying "The requested URI %s is invalid" is created using on line 1008 of yelp-window.c which
passes the gchar string into the window_error function located at 1129 of the same file.
The GTK dialog box is then created insecurely by *not* using a format string at line 1156 of yelp-window.c.
The function prototype for gtk_message_dialog_format_secondary_markup is:
void gtk_message_dialog_format_secondary_markup (GtkMessageDialog *message_dialog,
const gchar *message_format,
...);
where message_format is a "printf()-style markup string".
see: http://library.gnome.org/devel/gtk/2.12/GtkMessageDialog.html#gtk-message-dialog-format-secondary-markup
Incorrect/vulnerable usage here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?revision=3145&view=markup
You can see the code was changed "cleaned up" from properly using a format string, to its removal here:
http://svn.gnome.org/viewvc/yelp/trunk/src/yelp-window.c?annotate=2848#l1130
PoC:
----
yelp ftp://%08x.%08x.%08x.%08x.%08x.%08x
yelp %x%x%x%x%x%x://
yelp %08x%08x
Impact:
------
Because of yelp's network capability, this vulnerably may be remotely exploitable via minimal user-assistance in Firefox, Evolution and other programs with the 'man' or 'ghelp' URIs registered. Evolution will prompt the user for confirmation (which displays the program and arguments) but sadly Firefox 3.0 does not allow for preview of the arguments being passed. (I think all arguments being passed to applications via Firefox or whatever program should be displayed.
This seems like a regression in security from Firefox 2)
This vulnerability could be exploited to execute arbitrary code with the user's privileges and possible user-assisted execution of arbitrary code by clicking on a malicious link.
Effected Versions:
---------
All newer than 2.19.90
Fix:
----------
Patch the function call to use a format string per GTK+ documentation.
Similar to the properly used call gtk_message_dialog_format_secondary_text()
at line 581 of yelp-print.c
-Aaron Grattafiori |
|
