dest-unreach / socat / contrib / security advisory 3

Socat security advisory 3

Overview

A heap based buffer overflow vulnerability has been found with data that happens to be output on the READLINE address.

Successful exploitation may allow an attacker to execute arbitrary code with the privileges of the socat process.

Vulnerability Ids

CVE-2012-0219

Details

This vulnerability can be exploited when socat is invoked with the READLINE address (this is usually only used interactively) without option "prompt" and without option "noprompt" and an attacker succeeds to provide malicious data to the other (arbitrary) address that is then transferred by socat to the READLINE address for output.

The problem was caused by a coding error in function xioscan_readline().

Testcase

To check your socat program do the following:

perl -e 'print "\r"."A"x 513' </tmp/socat-data socat readline exec:'cat /tmp/socat-data'

When socat crashes with a signal (e.g. SIGSEGV) and does not output any 'A' it is vulnerable.

Workaround

Use option prompt or option noprompt with the READLINE address.

Affected versions

1.4.0.0 - 1.7.2.0

2.0.0-b1 - 2.0.0-b4

Not affected or corrected versions

1.0.0.0 - 1.3.2.2

1.7.2.1 and later

2.0.0-b5 and later

Download

The updated sources can be downloaded from:

• http://www.dest-unreach.org/socat/download/socat-1.7.2.1.tar.gz
• http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.tar.gz

Patch to 1.7.2.0:

• http://www.dest-unreach.org/socat/download/socat-1.7.2.1.patch.gz

Patch to 2.0.0-b4:

• http://www.dest-unreach.org/socat/download/socat-2.0.0-b5.patch.gz

History

2012/04/22 vulnerability report received

2012/04/22 fix to 1.7.2.0 generated

2012/04/27 fix to 2.0.0-b4 generated

2012/05/14 fixes published

Credits

Full credits to Johan Thillemann for finding and reporting this issue.