Bugtraq mailing list archives
Re: More vulnerabilities in FP
From: dullien () GMX DE (Thomas Dullien)
Date: Fri, 21 Apr 2000 10:01:10 +0200
On Wed, 19 Apr 2000 08:08:25 -0400, The Cyberiad wrote:
I confirmed the 742-A's caused a page fault in KERNEL32.DLL at 0167:bff87ede under FP 3.0.2.1105, installed with PWS under Windows 98 (PWS.EXE Version 4.02.0690). However, this length did not force A's into the EIP. Instead the stack pointer is corrupted, now pointing to invalid memory (which caused the page fault). The relationship of the corrupted stack pointer to the input overflow data is unclear (its not 0x41414141) so I'll have to do some more reverse engineering; I did try longer strings with the same result.
I do not have access to a copy of frontpage, but I downloaded htimage.exe (7.952 bytes) from some webserver with incorrect permissions set. I could _not_ reproduce a crash in which EIP is taken. A rough look at the disassembled code revealed that the crash happens like this: If the fopen() call to the specified file fails, the program will create an error message on the stack in a static buffer of 1000 bytes lenght. The error message is: "Picture config file no found, tried the following:" Then, the program uses strcat() to append the PATH_TRANSLATED and PATH_INFO environment variables (the data pased to the program) to the error message on the stack. You can see that this will smash the stack. Now comes the problem: This overflow occurs within main(), and before main() ret's anywhere, an Error-Output function is called which just printf()'s the error message and then calls exit(). I don't know if this is exploitable at all. On the other hand, I don't claim this is a correct analysis. As I said, all I have is a single htimage.exe I downloaded from somewhere, and I tried to get the overflow to work. Shoddy coding in the file nonetheless.... strcat'ing user input onto the stack:-o Concerning the crash on 9x, might be that some important things for the cleanup are on the stack... I didn't test under 9x, but under NT SP5, so it might be that 9x doesn't like the overwriting of the stack. Thomas Dullien dullien () gmx de Win32 Security Consultant ;-> Hire me !
Current thread:
- Re: More vulnerabilities in FP .sozni (Apr 20)
- <Possible follow-ups>
- Re: More vulnerabilities in FP Thomas Dullien (Apr 21)
- Re: More vulnerabilities in FP Roman (Apr 22)
- Re: More vulnerabilities in FP Daniel Dočekal (Apr 24)
- Re: More vulnerabilities in FP Ian McDonald (Apr 26)
- ISS Security Advisory: Insecure file handling in IBM frcactrl program Aleph One (Apr 26)