[Dailydave] Fwd: Ferret
gerbil at hushmail.com
gerbil at hushmail.com
Tue Mar 6 11:36:48 EST 2007
Dear Phrack Magazine,
>> Ferret-1/Ferret/http.c:
>> void process_simple_http(struct Seaper *seap, struct NetFrame
*frame,
>> const unsigned char *px, unsigned length) {
>> char method[16];
>> ...
>> x=0;
>> while (i<length && !isspace(px[i])) {
>> if (x < sizeof(method) -1) {
>> method[x++] = (char)toupper(px[i++]);
>> method[x] = '\0';
>> }
>> }
Cool dude! Mine is better. It makes it so that you can buffer
overflow a buffer!
Check out this one.
Summary:
Ferret-1/Ferret/wifi80211.c:
void process_wifi_fields(struct Seaper *seap, struct NetFrame
*frame, const unsigned char *px, unsigned length,unsigned offset,
struct WIFI_MGMT *wifimgmt) {
.....
case 7: /* COUNTRY INFORMATION */
...
char country[16];
...
char power[32];
if (country_len > sizeof(country-1))
country_len =
sizeof(country-1);
memcpy(country, px+offset,
country_len);
country[country_len] = '\0';
.....
}
OMFG DUDE the negative one should go OUTSIDE the paren! WTF!
Someone should have hired a security startup to audit this code;
one that actually knows what it is doing LoL!
Due to the behavior of the sizeof operator when passed a pointer
(accidentally or intentionally! OMFG WHAT A POWERFUL LANGUAGE) it
is trivial to exploit this vulnerability using a specially crafted
wifi packet on processors which have pointers larger than 16 bytes.
This means that this bug affects ferret on x86_192 and x86_256
processors. Exploitation of this vulnerability will in most (all?)
cases lead to excessive seepage and theft of pornography.
Affected products:
Everything except QNX RTOS and grSecurity
Solution:
Hire competent code auditors before running third party code
Truly Yours,
Gerbil Seepage High Board Of Consular Directors and Heads of State
--
Click for home mortgage, fast & free, no lender fee, approval today
http://tagline.hushmail.com/fc/CAaCXv1QbtUTkUL7LMyl7pJTbEA721Zi/
More information about the Dailydave
mailing list