Sublime Forum

[ST2] Possible BoF [buffer overflow]

#1

Affected Systems: Linux, Windows, possibly other OS’s
Affected Builds: Sublime Text v2.0.1, Build 2217

First a bit of info on how this was found.

I am a security professional, my job is to find holes, broken code, malfunctions, etc. and exploit
them to get the desired effect. My job, in other words, is to break things.

This is the only Sublime IDE Buffer Overflow I have been able to find.

I was playing with the Sublime Text source code and noticed it does not handle very long names when
declared from command line / terminal…

Let me alaborate:

subl `perl -e 'print "A"x5000'`

In short, this simple code uses Sublime’s binary, perl, and a very long filename to introduce.

It overruns sublime and causes it to crash, but that is not the >only< bug.

It causes Sublime to close, but as Sublime is backgrounded on exit, it will close with that file,
but be saved in the buffer (e.g. 5,000 A’s as the title).

Upon trying to reopen Sublime, the issues get worse:

  1. Since you have overrun a buffer in Sublime, and Sublime automatically remembers everything you
    type, it doesn’t get rid of said file on restart and thus the program continues to crash on
    subsequent reloads.
  2. Program continues to load the title of the file you have not saved yet, and will cause an error
    and crash even through reboot.
  3. When you attempt to close the unsaved 5k A’s file you get a transparent window that extends the
    first and second workspaces. This is presumably the “Are you sure you wish to close this file
    before saving?” window as it awaits approval from user to close the file.

As if none of these were bad enough, if Sublime is ever used as ‘root’, then it is backgrounded
(which I know some of us do for files in /opt, /etc, and /usr etc.) and this buffer overflow can be
exploited to not only give you a shell, but a shell of any user running sublime if you know a bit
about redirection and/or shellcode.

Proof of concept (PoC):

File unsaved: *(http://i.imgur.com/sHMQYqxl.jpg)
Workspace 1: *(http://i.imgur.com/zKaGZ02l.jpg)
Workspace 2: *(http://i.imgur.com/tVEphful.jpg)

Forgive me for my long post, but it’s my first and I felt the need to explain everything in detail.
Also, I hope I’m welcome here, I hope to contribute a lot more.***

0 Likes
#2

Can someone from Sublime team reply on this post, because I am trying to get approval in my company to use sublime as a main text editor for developers. However the company is very careful in selecting tools, making sure that they are secure. Having no answer for 4 month about this issue makes it more difficult to get the approval.

Thanks!

0 Likes