Buffer Overflow Exploitable?

["Secterm ." <securityterminal () hotmail com>]

List-

I've come across a buffer overflow and was curios of whether it's 
exploitable or rather simply a bug.  Essentially the code looks like:

logHandler = NULL;
if(logFlag = 1)
{
    static char logFileName[_MAX_PATH];
    ::strcpy(logFileName, Path::GetExePath());
    ::strcat(logFileName, "security.log");
    logHandler = fopen(logFileName, "w");
}

This is WIN32 programming so I did some searching and found that _MAX_PATH 
is defined as a constant in Windows.pas as 260 characters. The 
"GetExePath()" function returns the PATH in which the application is being 
run from within (e.g. c:\program files\app). Windows is restricting this 
PATH length to 260 characters (least I presume its 260 because of 
Windows.pas).

Any ways, since this code strcpy's and then strcat's "security.log" to the 
application's PATH, I noted this could result in a buffer overflow, in the 
variable "logFileName", in the event that the applications PATH is larger 
then 248 characters. Which is valid as its less then the Windows defined 260 
characters. However, my question is: apart from putting the application in a 
PATH of greater then 248 characters in length, is there a way to intercept 
"GetExePath" and feed it a bogus PATH length in order cause an exploitable 
buffer overflow or some other attack that would be security related? 
Appreciate any input. Thanks.

-Secterm


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com