Re: Telnetd AYT overflow scanner

From: der Mouse (mouse@Rodents.Montreal.QC.CA)
Date: 07/25/01


Date: Wed, 25 Jul 2001 16:18:00 -0400 (EDT)
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200107252018.QAA25946@Twig.Rodents.Montreal.QC.CA>
To: bugtraq@securityfocus.com
Subject: Re: Telnetd AYT overflow scanner


> /*
> * Telnetd AYT overflow scanner, by Security Point(R)
> * Bug found by scut of TESO Security
[...]
> * With Security Point(R) Scanner you can find and repair the
> * Vulnerabilities before the bad guys get in.

Does anyone else find it as ironic as I that this code contains
a..buffer overflow?

> char sendbuffer[5120*2];

> bzero(sendbuffer,sizeof(sendbuffer));
> for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
> sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
> }

Quite aside from the _horrible_ misuse of sprintf, this writes a NUL
one byte past the end of sendbuffer[].

I sure wouldn't trust anything about my system to code from whoever
wrote this. Just on a quick once-over, I see seven other things I
would say are wrong with it.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
 X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B