Fwd: AbiWord Link Grammar "separate_sentence()" Buffer Overflow

From: Dominic Lachowicz <domlachowicz_at_gmail.com>
Date: Fri Nov 09 2007 - 13:42:47 CET

FYI

---------- Forwarded message ----------
From: Secunia Research <vuln@secunia.com>
Date: Oct 23, 2007 6:50 AM
Subject: AbiWord Link Grammar "separate_sentence()" Buffer Overflow
To: domlachowicz@gmail.com
Cc: vuln@secunia.com

Hello,

Secunia Research has discovered a vulnerability in the AbiWord Link
Grammar library, which can be exploited by malicious people to
compromise a user's system.

The vulnerability is caused due to a boundary error within the
"separate_word()" function in tokenize.c when processing overly long
words (over 61 bytes). This can be exploited to cause a stack-based
buffer overflow via a specially crafted sentence passed to the
"separate_sentence()" function.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.2.4.

Vulnerability Details:
----------------------

The vulnerability is caused by incorrectly calling the "strncpy()"
function in several places throughout "separate_word()".

Exploitation:
-------------

The vulnerability can be reproduced by creating a document containing
eight words separated by a comma on a single line, adding to a total
length of 150 characters. An AbiWord installation with the AbiGrammar
plugin enabled should crash when parsing the specially crafted document.

A PoC is available upon request.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27340 and CVE
identifier CVE-2007-5395.

A preliminary disclosure date of 2007-11-07 10am CET has been set, where
the details will be publicly disclosed. However, we are naturally
prepared to push the disclosure date if you need more time to address
the vulnerability.

Please acknowledge receiving this e-mail and let us know when you expect
to fix the vulnerability.

The original developers of Link Grammar were also contacted.

Credits should go to:
Alin Rad Pop, Secunia Research.

Also, if you have any questions, then please don't hesitate to contact
me. 

-- 
Counting bodies like sheep to the rhythm of the war drums.
Received on Fri Nov 9 14:52:33 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 09 2007 - 14:52:33 CET