Buffer Overflow Exploitable?

From: Secterm . (securityterminal@hotmail.com)
Date: 08/03/02

Previous message: Burton M. Strauss III: "RE: Comment on DMCA, Security, and Vuln Reporting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Secterm ." <securityterminal@hotmail.com>
To: vuln-dev@securityfocus.com
Date: Sat, 03 Aug 2002 00:46:42 -0600

List-

I've come across a buffer overflow and was curios of whether it's
exploitable or rather simply a bug. Essentially the code looks like:

logHandler = NULL;
if(logFlag = 1)
{
     static char logFileName[_MAX_PATH];
     ::strcpy(logFileName, Path::GetExePath());
     ::strcat(logFileName, "security.log");
     logHandler = fopen(logFileName, "w");
}

This is WIN32 programming so I did some searching and found that _MAX_PATH
is defined as a constant in Windows.pas as 260 characters. The
"GetExePath()" function returns the PATH in which the application is being
run from within (e.g. c:\program files\app). Windows is restricting this
PATH length to 260 characters (least I presume its 260 because of
Windows.pas).

Any ways, since this code strcpy's and then strcat's "security.log" to the
application's PATH, I noted this could result in a buffer overflow, in the
variable "logFileName", in the event that the applications PATH is larger
then 248 characters. Which is valid as its less then the Windows defined 260
characters. However, my question is: apart from putting the application in a
PATH of greater then 248 characters in length, is there a way to intercept
"GetExePath" and feed it a bogus PATH length in order cause an exploitable
buffer overflow or some other attack that would be security related?
Appreciate any input. Thanks.

-Secterm

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

Previous message: Burton M. Strauss III: "RE: Comment on DMCA, Security, and Vuln Reporting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Encryption ??
... algorithm itself, at least not in this area. ... I stated, not very clearly, that the algorithm as implemented had a potential buffer overflow problem when it was used correctly i.e. when the text was an exact multiple of 8. ... Notice now that not only don't we have buffer overflow, but it still seems like we encrypt and decrypt the entire string even though I removed the memcpy function that was supposed to copy these extra characters. ...
(comp.lang.clipper)
Re: gets_s function
... I expect that gets_s checks string dimension before assign value to it. ... int main ... At execution I entered the string "123456789" (10 characters) and I ... Like I said, a buffer overflow. ...
(microsoft.public.vc.language)
Re: why so many "potential buffer overflow" alerts?
... > I get the impression that many of the security alerts ... > that arrive in my email mention actual or potential "buffer overflow". ... be given (say, 600 characters in the example above), and neither the ... In some other languages, which have ...
(comp.os.linux.security)
[Full-disclosure] Re: What A Click! [Internet Explorer]
... > tell your windows to open .HTA files in notepad. ... > (since there are more ways to cover windows with malicious lookalikes). ... >> Using custom Microsoft Agent characters it is possible to cover any kind ... including security or download dialogs. ...
(Full-Disclosure)
Re: Tk 8.4.11 / Windows XP / Encoding problem
... Some of our clients are experiencing a weird problem on their Windows XP PCs. ... suddenly they start showing other characters instead of the correct utf-8 ... Tcl usually does proper detection of the system encoding. ...
(comp.lang.tcl)