Dailydave mailing list archives
Fwd: Ferret
From: <gerbil () hushmail com>
Date: Tue, 06 Mar 2007 11:36:48 -0500
Dear Phrack Magazine,
Ferret-1/Ferret/http.c: void process_simple_http(struct Seaper *seap, struct NetFrame
*frame,
const unsigned char *px, unsigned length) { char method[16]; ... x=0; while (i<length && !isspace(px[i])) { if (x < sizeof(method) -1) { method[x++] = (char)toupper(px[i++]); method[x] = '\0'; } }
Cool dude! Mine is better. It makes it so that you can buffer overflow a buffer! Check out this one. Summary: Ferret-1/Ferret/wifi80211.c: void process_wifi_fields(struct Seaper *seap, struct NetFrame *frame, const unsigned char *px, unsigned length,unsigned offset, struct WIFI_MGMT *wifimgmt) { ..... case 7: /* COUNTRY INFORMATION */ ... char country[16]; ... char power[32]; if (country_len > sizeof(country-1)) country_len = sizeof(country-1); memcpy(country, px+offset, country_len); country[country_len] = '\0'; ..... } OMFG DUDE the negative one should go OUTSIDE the paren! WTF! Someone should have hired a security startup to audit this code; one that actually knows what it is doing LoL! Due to the behavior of the sizeof operator when passed a pointer (accidentally or intentionally! OMFG WHAT A POWERFUL LANGUAGE) it is trivial to exploit this vulnerability using a specially crafted wifi packet on processors which have pointers larger than 16 bytes. This means that this bug affects ferret on x86_192 and x86_256 processors. Exploitation of this vulnerability will in most (all?) cases lead to excessive seepage and theft of pornography. Affected products: Everything except QNX RTOS and grSecurity Solution: Hire competent code auditors before running third party code Truly Yours, Gerbil Seepage High Board Of Consular Directors and Heads of State -- Click for home mortgage, fast & free, no lender fee, approval today http://tagline.hushmail.com/fc/CAaCXv1QbtUTkUL7LMyl7pJTbEA721Zi/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Ferret Ronaldo Vasconcellos (Mar 05)
- Re: Ferret Phrack Senate Omniscient (Mar 06)
- Message not available
- Re: Ferret Robert Wesley McGrew (Mar 06)
- Message not available
- Re: Ferret Pusscat (Mar 06)
- Re: Ferret J.M. Seitz (Mar 06)
- Re: Ferret Phrack Senate Omniscient (Mar 06)
- <Possible follow-ups>
- Fwd: Ferret gerbil (Mar 06)