> We recently found a unchecked buffer in Microsoft's Net Messenger > service (Sitedude found it first actually). By sending more than 2050 > chars with the SEND function you can reproduce the buffer overflow > locally.... > You may check it out using a sample program I made to create it. Yes > guys, it's VB. I made it in VB because C wasn't parsing enough chars > =\ try net send localhost `perl -e "print 'x'x2080"` (you'll need a real shell for the back tics to work - bash under cygwin works fine) You're seeing 00 78 00 78 because internally net1.exe is handling the string as a wide string. Out of interest - when you increase the buffer size you'll see that net1 dies in a different place (in the middle of wcscat()). This happens before the message is sent (with a shorter string the program only crashes as it's cleaning up after itself) However - this bug is in the net1.exe executable which is the client - not the service - so I don't see how this is much more than just an annoying bug. It would be interesting to see what happens if you fix the client and send a long string to the csrss.exe service Stuart
This archive was generated by hypermail 2b30 : Wed May 15 2002 - 09:55:43 PDT