Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

ncpfs buffer overflow
From: Karol Więsek <appelast () drumnbass art pl>
Date: Mon, 29 Nov 2004 13:58:02 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is buffer overflow in ncplogin and ncpmap in nwclient.c.


static void strcpy_cw(wchar_t *w, const char* s) {
~        while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~  if (!treeName)
~      return ERR_NULL_POINTER;

~  strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /

Tested on ncpfs-2.2.4-1 from fedora core 2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm
LpGHtO/7DHkoRO18OQwve4M=
=YwvU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • ncpfs buffer overflow Karol Więsek (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]