Vulnerability Development mailing list archives
Re: strcpy bug
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Tue, 10 Jun 2003 12:13:05 +0000
From: xenophi1e <oliver.lavery () sympatico ca> Date: 7 Jun 2003 18:34:59 -0000 > >The windows "Search for files and folders" utility will search binaries and >can often find the linkage names of functions and dlls they call. None *Lol*. I never would have thought to use the pretty GUI with the little doggie for anything like this. But of course, it's really just a not-so- good strings / objdump | grep.
It's a quick and dirty hack, that's why I like it :) Of course it won't find linkages that are only specified by function ordinal, so you get false negatives.
Yeah, another obvious problem I realised after posting is that MAX_PATH on windows is 260 / 0x104. So the overflowable buffer is MAX_PATH characters long.
Heh, as I found out also when trying to create a .eot file with an overly long name!
There's some protection since applications that are well written probably won't call a file open sort of function with a filename longer than MAX_PATH. Of course we all know how many applications are actually well written...
The question is, can we get any application to try and LZOpenFileA a file without first performing a check-for-existence test? I haven't managed to fool IE or OE yet with any of the usual MIME / CID: tricks....
DaveK _________________________________________________________________Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess
Current thread:
- strcpy bug xenophi1e (Jun 01)
- <Possible follow-ups>
- Re: strcpy bug Dave Korn (Jun 05)
- Re: strcpy bug xenophi1e (Jun 09)
- Re: strcpy bug Dave Korn (Jun 10)