Re: OpenLink 3.2 Advisory

[smm () WPI EDU (Seth McGann)]

The NT version is vulnerable to a boundary condition as well.  If memory
serves (I looked at this last april, so it may be foggy) I was able to
sucessfully modify the EIP but found no obvious way to get back to the
overflowing buffer (where my egg would be).  When I left off I found some
code that would jump me back a little bit before the buffer.
Unfortunately, the data formed some invalid opcodes, so no luck.  I'm sure
someone can figure it out, I'm sick having my clock off by 6 hours from
SoftIce warp :)

At 18:37 10/15/99 -0500, you wrote:
> Hmm.  I wonder if I should start numbering these things now. 8)
>
> Overview:
>
> A serious security hole has been found in the web configuration utility
> that comes with OpenLink 3.2.  This hole will allow remote users to
> execute arbitrary code as the user id under which the web configurator is
> run (inherited from the request broker, oplrqb).  The hole is a
> run-of-the-mill buffer overflow, due to lack of parameter checking when
> strcpy() is used.
<CUT>

Seth M. McGann / smm () wpi edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80