Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Ferret

From: <gerbil () hushmail com>
Date: Tue, 06 Mar 2007 11:36:48 -0500
Dear Phrack Magazine,


Ferret-1/Ferret/http.c:
void process_simple_http(struct Seaper *seap, struct NetFrame

*frame,

const unsigned char *px, unsigned length) {
       char method[16];
       ...
       x=0;
       while (i<length && !isspace(px[i])) {
               if (x < sizeof(method) -1) {
                       method[x++] = (char)toupper(px[i++]);
                       method[x] = '\0';
               }
       }


Cool dude! Mine is better. It makes it so that you can buffer
overflow a buffer!

Check out this one.

Summary:

Ferret-1/Ferret/wifi80211.c:
void process_wifi_fields(struct Seaper *seap, struct NetFrame
*frame, const unsigned char *px, unsigned length,unsigned offset,
struct WIFI_MGMT *wifimgmt) {
.....
                case 7: /* COUNTRY INFORMATION */
                        ...
                                char country[16];
                                ...
                                char power[32];

                                if (country_len > sizeof(country-1))
                                        country_len =
sizeof(country-1);
                                memcpy(country, px+offset,
country_len);
                                country[country_len] = '\0';
.....
}

OMFG DUDE the negative one should go OUTSIDE the paren! WTF!
Someone should have hired a security startup to audit this code;
one that actually knows what it is doing LoL!

Due to the behavior of the sizeof operator when passed a pointer
(accidentally or intentionally! OMFG WHAT A POWERFUL LANGUAGE) it
is trivial to exploit this vulnerability using a specially crafted
wifi packet on processors which have pointers larger than 16 bytes.
This means that this bug affects ferret on x86_192 and x86_256
processors. Exploitation of this vulnerability will in most (all?)
cases lead to excessive seepage and theft of pornography.

Affected products:

Everything except QNX RTOS and grSecurity

Solution:

Hire competent code auditors before running third party code

Truly Yours,
Gerbil Seepage High Board Of Consular Directors and Heads of State


--
Click for home mortgage, fast & free, no lender fee, approval today
http://tagline.hushmail.com/fc/CAaCXv1QbtUTkUL7LMyl7pJTbEA721Zi/

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: