RE: NCSec: Local Buffer Overflow in Microsoft's Net Messenger Ser vice

[Stuart Adamson <stuart.adamson () evolution net>]

>     We recently found a unchecked buffer in Microsoft's Net Messenger
> service (Sitedude found it first actually). By sending more than 2050
> chars with the SEND function you can reproduce the buffer overflow
> locally....

> You may check it out using a sample program I made to create it. Yes
> guys, it's VB. I made it in VB because C wasn't parsing enough chars
> =\

try 

  net send localhost `perl -e "print 'x'x2080"`

(you'll need a real shell for the back tics to work - bash under cygwin 
works fine)

You're seeing 00 78 00 78 because internally net1.exe is handling the string
as a wide string.

Out of interest - when you increase the buffer size you'll see that net1
dies
in a different place (in the middle of wcscat()).  This happens before the
message
is sent (with a shorter string the program only crashes as it's cleaning up
after itself)


However - this bug is in the net1.exe executable which is the client - not
the 
service - so I don't see how this is much more than just an annoying bug.
It
would be interesting to see what happens if you fix the client and send a
long 
string to the csrss.exe service


Stuart