Home Download Buy Blog Forum Support

[ST2] Possible BoF [buffer overflow]

[ST2] Possible BoF [buffer overflow]

Postby attrition™ on Wed Jun 26, 2013 8:36 pm

Affected Systems: Linux, Windows, possibly other OS's
Affected Builds: Sublime Text v2.0.1, Build 2217

First a bit of info on how this was found.

I am a security professional, my job is to find holes, broken code, malfunctions, etc. and exploit
them to get the desired effect. My job, in other words, is to break things.

This is the only Sublime IDE Buffer Overflow I have been able to find.

I was playing with the Sublime Text source code and noticed it does not handle very long names when
declared from command line / terminal..

Let me alaborate:

Code: Select all
subl `perl -e 'print "A"x5000'`


In short, this simple code uses Sublime's binary, perl, and a very long filename to introduce.

It overruns sublime and causes it to crash, but that is not the >only< bug.

It causes Sublime to close, but as Sublime is backgrounded on exit, it will close with that file,
but be saved in the buffer (e.g. 5,000 A's as the title).

Upon trying to reopen Sublime, the issues get worse:

1. Since you have overrun a buffer in Sublime, and Sublime automatically remembers everything you
type, it doesn't get rid of said file on restart and thus the program continues to crash on
subsequent reloads.
2. Program continues to load the title of the file you have not saved yet, and will cause an error
and crash even through reboot.
3. When you attempt to close the unsaved 5k A's file you get a transparent window that extends the
first and second workspaces. This is presumably the "Are you sure you wish to close this file
before saving?" window as it awaits approval from user to close the file.

As if none of these were bad enough, if Sublime is ever used as 'root', then it is backgrounded
(which I know some of us do for files in /opt, /etc, and /usr etc.) and this buffer overflow can be
exploited to not only give you a shell, but a shell of *any user running sublime* if you know a bit
about redirection and/or shellcode.

Proof of concept (PoC):

File unsaved: http://i.imgur.com/sHMQYqxl.jpg
Workspace 1: http://i.imgur.com/zKaGZ02l.jpg
Workspace 2: http://i.imgur.com/tVEphful.jpg

Forgive me for my long post, but it's my first and I felt the need to explain everything in detail.
Also, I hope I'm welcome here, I hope to contribute a lot more.
attrition™
 
Posts: 1
Joined: Mon Jun 24, 2013 10:00 pm

Re: [ST2] Possible BoF [buffer overflow]

Postby avb on Mon Oct 28, 2013 11:19 pm

Can someone from Sublime team reply on this post, because I am trying to get approval in my company to use sublime as a main text editor for developers. However the company is very careful in selecting tools, making sure that they are secure. Having no answer for 4 month about this issue makes it more difficult to get the approval.

Thanks!
avb
 
Posts: 1
Joined: Mon Oct 28, 2013 11:14 pm


Return to Technical Support

Who is online

Users browsing this forum: Google [Bot] and 23 guests