Bugtraq mailing list archives
Re: Telnetd AYT overflow scanner
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Wed, 25 Jul 2001 16:18:00 -0400 (EDT)
/* * Telnetd AYT overflow scanner, by Security Point(R) * Bug found by scut of TESO Security
[...]
* With Security Point(R) Scanner you can find and repair the * Vulnerabilities before the bad guys get in.
Does anyone else find it as ironic as I that this code contains a..buffer overflow?
char sendbuffer[5120*2];
bzero(sendbuffer,sizeof(sendbuffer)); for (i=0;i!=(sizeof(sendbuffer)/2);i++) { sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT }
Quite aside from the _horrible_ misuse of sprintf, this writes a NUL one byte past the end of sendbuffer[]. I sure wouldn't trust anything about my system to code from whoever wrote this. Just on a quick once-over, I see seven other things I would say are wrong with it. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Telnetd AYT overflow scanner info (Jul 25)
- Re: Telnetd AYT overflow scanner Martin Elster (Jul 25)
- Re: Telnetd AYT overflow scanner Riley Hassell (Jul 25)
- <Possible follow-ups>
- Re: Telnetd AYT overflow scanner der Mouse (Jul 25)
- Re: Telnetd AYT overflow scanner David Maxwell (Jul 26)
- Re: Telnetd AYT overflow scanner aleph1 (Jul 26)
- Re: Telnetd AYT overflow scanner John Marquart (Jul 26)