OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] ncpfs buffer overflow

From: Karol WiÍsek (appelastdrumnbass.art.pl)
Date: Mon Nov 29 2004 - 06:58:02 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is buffer overflow in ncplogin and ncpmap in nwclient.c.

static void strcpy_cw(wchar_t *w, const char* s) {
~ while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~ if (!treeName)
~ return ERR_NULL_POINTER;

~ strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /

Tested on ncpfs-2.2.4-1 from fedora core 2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm
LpGHtO/7DHkoRO18OQwve4M=
=YwvU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html