ftp.exe anf tftp.exe buffer overflows

From: Max (rusmirat_private)
Date: Thu Feb 27 2003 - 16:43:21 PST

Next message: Barry Zubel: "RE: axis2400 webcams"

Previous message: Martin Eiszner: "axis2400 webcams"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello there,

ftp.exe and tftp.exe both have the same problem with unchecked hostname length.

Description:
    ftp.exe and tftp.exe do not check the length of hostname parameter before
    passing it to gethostbyname(). This makes possible to crash them by providing
    a long enough (~550+ bytes) hostname string.

    According to Microsoft:

    (http://msdn.microsoft.com/library/en-us/winsock/winsock/gethostbyname_2.asp)

    "The gethostbyname function does not check the size of the name parameter
    before passing the buffer. In improperly sized name parameters,
    heap corruption can occur."

Although it is sort of strange behaviour, it is documented.
A good advice for MS developers is to read function description before using it.

Both problems tested on up-to-date W2KPro.

Thanks,

Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+XrCw8mCpXsrcXpwRAvrCAKDrQ9HALqCl3w1F23xsEEgAD4is9ACg7uHC
c5aVcrLBTzJ0/o4WJXsLVnM=
=20xF
-----END PGP SIGNATURE-----

Next message: Barry Zubel: "RE: axis2400 webcams"
Previous message: Martin Eiszner: "axis2400 webcams"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 09:06:12 PST