------------------------------------------------------------------------ BCSA 011 Badly Coded, Inc. Security Advisory October 2nd, 2017 ------------------------------------------------------------------------ BCSA-011: Ex-mode command buffer overflow and macro vulnerabilities Affected versions: 1.2 and earlier Fixed versions: 1.3 and later Two security vulnerabilities have been identified as affecting BCVI version 1.2 and before. First, there was a buffer overflow vulnerability in the code than read ex-mode commands (those starting with ":") from the terminal. The amount read into the buffer was limited by the terminal's line length, but this could be larger than the fixed-sized buffer provided to the Curses input routine. The change in version 1.2 to use mvgetnstr in place of mvgetstr was not an effective fix for the vulnerability because, while we supplied an explicit length limit, the limit could still be larger than the buffer size. This code was only vulnerable when BCVI was executed with a wide terminal size, but this limitation does not represent an effective defense because the width of a terminal can be falsified by a local attacker. This problem was fixed in version 1.3 by giving the buffer size as an additional length limit. Second, we became aware of a number of vulnerabilities in BCVI's native-code macro feature (the "R" command). The macro feature contained an instruction-byte blacklist which attempted to prevent system calls and jumps and calls outside the macro. However this feature could be bypassed by using the return instruction with an attacker-controlled stack value, or with self-modifying code. Also it was possible for a macro to disable other security mechanisms. To address this issue for version 1.3, we have replaced the instruction blacklist with a more specific and limited instruction whitelist. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported this vulnerability. All BCVI users are recommended to upgrade at their earliest convenience.