Bugtraq mailing list archives

Re: Buffer overflow in the query cgi.

From: tqbf () ENTERACT COM (Thomas H. Ptacek)
Date: Sun, 5 Jan 1997 01:34:45 -0600

typedef struct {
    char name[128];

...

main(int argc, char *argv[]) {
    entry entries[10000];

...

        getword(entries[x].val,cl,'&');

else can exploit this.  It should be pretty easy since all you have to do
is supply 128 bytes, then enough code to get up to the stack and overwrite
it, all in the query string.


Heh. You'll need to supply considerably more than 128 bytes - you'll need
to supply at least ((128 * 2) * 10000) - ((128 * 2) * ENTRIESUSED) bytes.
entries[10000] is an array of structures allocated on the stack in
main()'s stack frame. Each of those structures contains two 128 byte
arrays. Enjoy.

Also, overflows onto main()'s stack frame can complicate things in some
architectures, especially on Suns (register windows, double return past
crt0), and especially when (as is usually the case) the application
exit()'s rather than returning back into crt0. The conventional
overwrite-the-activation-record trick might not be the best way to
approach the problem in these cases.

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
----------------
exit(main(kfp->kargc, argv, environ));

Current thread:

XDM bug Angel Ortiz (Jan 02)
- <Possible follow-ups>
- Re: XDM bug Steve \ (Jan 03)
  - Re: XDM bug jamie (Jan 03)
    - Re: XDM bug Alex Belits (Jan 03)
    - serious security bug in wu-ftpd v2.4 Aleph One (Jan 04)
    - Re: serious security bug in wu-ftpd v2.4 Wietse Venema (Jan 04)
    - Buffer overflow in the query cgi. Apropos of Nothing (Jan 04)
    - Re: Buffer overflow in the query cgi. Thomas H. Ptacek (Jan 04)
  - Re: XDM bug Mr. ManX (Jan 03)