[VulnWatch] Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc inside.

From: Chris Wysopal (weld_at_vulnwatch.org)
Date: 12/28/04

  • Next message: Chris Wysopal: "Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included"
    Date: Mon, 27 Dec 2004 20:36:22 -0500 (EST)
    To: vulnwatch@vulnwatch.org
    
    

    Application: Netcat for Windows 1.1
       Platform: Windows NT/2000/XP/2003
       Severity: Remote code execution
         Status: Fixed, new version available
           Date: 12/27/2004

    Summary

    Netcat for Windows 1.1 has a buffer overflow vulnerability that allows
    remote execution of code. It is exposed when netcat is run using the -e
    option which execs a process and pipes the listening socket io to the
    stdio of the exec'd process.

    Note that this issue does not exist in netcat for the unix platform.

    Details

    doexec.c (line 445) was missing a check to see if BufferCnt had
    incremented past the end of the recieve buffer. With the check in place
    the buffer is flushed before it overwrites the end. The following new
    line adds the check.

      if (RecvBuffer[0] == '\n' || RecvBuffer[0] == '\r' ||
          BufferCnt > BUFFER_SIZE-1) {

    Update

    A fixed version, Netcat for Windows 1.11, is available at:
    http://www.vulnwatch.org/netcat/

    Credit

    Hat Squad discovered this vulnerabiltiy. Hat Squad's advisory is
    available at http://www.hat-squad.com/en/000142.html


  • Next message: Chris Wysopal: "Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included"

    Relevant Pages