BID:2210

splitvt Format String Vulnerability

Info

splitvt Format String Vulnerability

Bugtraq ID:	2210
Class:	Access Validation Error
CVE:	CVE-2001-0111 CVE-2001-0112
Remote:	No
Local:	Yes
Published:	Jan 16 2001 12:00AM
Updated:	Jul 11 2009 04:46AM
Credit:	This vulnerability was first discovered by fish stiqz <[email protected]> and Michel "MaXX" Kaempf <[email protected]>, and was announced by Michel "MaXX" Kaempf <[email protected]> on January 14, 2001 via Bugtraq.
Vulnerable:	Sam Lantinga splitvt 1.6.4 Debian Linux 2.2 sparc Debian Linux 2.2 powerpc Debian Linux 2.2 arm Debian Linux 2.2 alpha Debian Linux 2.2 68k Debian Linux 2.2

Not Vulnerable:

Discussion

splitvt Format String Vulnerability

splitvt is a VT100 window splitter, designed to allow the user two command line interfaces in one terminal window, originally written by Sam Lantinga. It is freely available, open source, and included with many variants of the Linux Operating System.

A problem in the program could allow for a format string attack. The problem occurs in the handling of format strings by the -rcfile command line flag. By placing shellcode in the $HOME environment variable, and generating a custom crafted request to the splitvt program it is possible to overwrite variables on the stack, and arbitrarily execute code contained in the $HOME environment variable. This makes it possible for a user with malicious motives to execute arbitrary code, and in implementations with the splitvt binary installed SUID root, gain administrative privileges. There are also various reported buffer overflows in the code. These have been addressed in the new release.