Title: Richard Everitt Pileup Buffer Overflow Vulnerability
Severity: HIGH
Description:
Pileup is a Linux morse code simulator for amateur radio operators which uses SoundBlaster hardware.
The C library 'scanf' functions allow a program to read data into a variable from a character source such as another string or I/O stream based on a format string.
Programs can read strings into variables using the '%s' parameter, which will copy a string of arbitrary length into the corresponding buffer until it is terminated by whitespace or newlines.
The use of 'scanf' to read strings of arbitrary length into buffers can lead to exploitable overflow conditions because there is often no bounds checking enforced.
Pileup version 1.1 introduces two instances of dangerous scanf() use.
The conditions occur when reading command options in main() as well as when reading the user's callsign in the keyboard_thread() function.
During both operations, strings of arbitrary length are copied into local variables.
If the length of either string, read from standard input, exceeds the size of its input buffer, the excess data will overwrite other variables on the stack and the stack frame itself. Properly exploited, this will allow a user to replace the affected function's return address with a pointer to malicious shellcode.
Because this program is installed suid root, the shellcode will be executed with root privilege.
Affected Products:
- Richard Everitt Pileup 1.1.0
References:
- Richard Everitt: Pileup program site
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
