Re: [Full-Disclosure] [SCSA-005] Proxomitron Naoko Long Path Buffer Overflow/DoS

From: Knud Erik Højgaard (kain@ircop.dk)
Date: 02/20/02

  • Next message: Richard M. Smith: "[Full-Disclosure] Data Processors International was broken into"
    From: Knud Erik Højgaard <kain@ircop.dk>
    To: Grégory Le Bras | Security Corporation <gregory.lebras@security-corp.org>, <full-disclosure@lists.netsys.com>
    Date: Wed, 20 Feb 2002 00:13:24 +0100
    

    Grégory Le Bras | Security Corporation wrote:
    > .: Proxomitron Naoko Long Path Buffer Overflow/DoS :.
    > ________________________________________________________________________
    >
    > Security Corporation Security Advisory [SCSA-005]
    > ________________________________________________________________________

    [snip]

    > Sending a parameter with a buffer of 1024 bytes in length or more,
    > causes Proxomitron Naoko to crash.
    >
    > This vulnerability can be easily exploited to execute code.
    >
    > Exploitation example :
    >
    > c:\Proxomitron>proxomitron AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    [snip A's]
    > AAAAAAAAAAAAAAAAAAAA

    Could you perhaps provide a real-world example where this might be used to
    gain additional privileges? I fail to see the useful bit in this
    vulnerability.

    --
    Knud
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    


    Relevant Pages

    • Re: Bounds checking functions
      ... I guess if you do have a fixed size buffer, then yes, you want to be ... "I won't write correct code anyway, so I'll be as careless as I like". ... saying that nobody's perfect, though. ...
      (comp.lang.c)
    • Re: "Sorting" assignment
      ... The next optimization step is not to use a "buffer". ... I have deliberately used "extempore untested C based pseudo code" ... because given the utter randomness of C libraries, ...
      (comp.programming)
    • Re: track positions in arrays= index variables || pointers to elements?
      ... > and it holds an address of a member of the buffer. ... > It's type is unrelated to the type of the array. ...
      (comp.lang.c)
    • Re: Cryptographic Exception - Bad Data (DESCryptoServiceProvider)
      ... The hash algorithm processes the stream in 8 byte pieces as follows ... > intentional) and store the result in the buffer ... I take the following sample data from FIPS 113 ...
      (microsoft.public.dotnet.framework)
    • Re: Endless loop question
      ... > actually turn this while loop into an endless loop instead of waiting ... This reads a character but doesn't do anything with it, ... into a buffer with fgets, and then pick the desired data value ...
      (comp.lang.c)