Vuln Dev
Re: vulnerabilities in this code chunk Jul 28 2007 12:18AM
bluepass gmail com
It is vulnerable to heap overflows.

An unsigned int and an unsigned long have the same size (4 bytes), as well as the same range (0 to 4294967295). The function 'copy_data()' takes 'data_len' as an unsigned int. The function 'memcpy()' takes its parameter as a 'size_t' which is nothing but an unsigned long.

If we send 'data_len' as 0xFFFFFFF8, when the 8 is added inside 'malloc()' it will become 0x100000000, and 1 being an overflow it will be dropped. Note that this overflow is not the same as the heap overflow. This will cause 'malloc()' to allocate no space, however it will return an address.

When the data will be added to it with 'memcpy()' it will cause a heap overflow. With a good shellcode as 'data' and knowing that its address will be buf+8, you can execute arbitrary code.

- BluePass

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus