Vulnerability Development mailing list archives
RE: NCSec: Local Buffer Overflow in Microsoft's Net Messenger Ser vice
From: Stuart Adamson <stuart.adamson () evolution net>
Date: Wed, 15 May 2002 11:02:35 +0100
We recently found a unchecked buffer in Microsoft's Net Messenger service (Sitedude found it first actually). By sending more than 2050 chars with the SEND function you can reproduce the buffer overflow locally....
You may check it out using a sample program I made to create it. Yes guys, it's VB. I made it in VB because C wasn't parsing enough chars =\
try net send localhost `perl -e "print 'x'x2080"` (you'll need a real shell for the back tics to work - bash under cygwin works fine) You're seeing 00 78 00 78 because internally net1.exe is handling the string as a wide string. Out of interest - when you increase the buffer size you'll see that net1 dies in a different place (in the middle of wcscat()). This happens before the message is sent (with a shorter string the program only crashes as it's cleaning up after itself) However - this bug is in the net1.exe executable which is the client - not the service - so I don't see how this is much more than just an annoying bug. It would be interesting to see what happens if you fix the client and send a long string to the csrss.exe service Stuart
Current thread:
- RE: NCSec: Local Buffer Overflow in Microsoft's Net Messenger Ser vice Stuart Adamson (May 15)