Vulnerability Development mailing list archives
Re: strcpy bug
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 7 Jun 2003 18:34:59 -0000
In-Reply-To: <Law15-F17rjbudzxxfY00026977 () hotmail com>
The windows "Search for files and folders" utility will search binaries
and
can often find the linkage names of functions and dlls they call. None
*Lol*. I never would have thought to use the pretty GUI with the little doggie for anything like this. But of course, it's really just a not-so- good strings / objdump | grep.
Bah. That 0x104 in the size field of the result string from the RtlUnicodeStringToAnsiString call not only protects the stack frame, it
also
stops us feeding too long a string through the W version to the A
version.
D'oh.
Yeah, another obvious problem I realised after posting is that MAX_PATH on windows is 260 / 0x104. So the overflowable buffer is MAX_PATH characters long. There's some protection since applications that are well written probably won't call a file open sort of function with a filename longer than MAX_PATH. Of course we all know how many applications are actually well written...
So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe and anything else that uses the IE browser engine. Font-face style tag perhaps?
Hmm, that's a good analysis, thanks. I'll have to have a lookse at t2embed.dll the next time I sit down with IDA. Cheers, ~x
Current thread:
- strcpy bug xenophi1e (Jun 01)
- <Possible follow-ups>
- Re: strcpy bug Dave Korn (Jun 05)
- Re: strcpy bug xenophi1e (Jun 09)
- Re: strcpy bug Dave Korn (Jun 10)