List-
I've come across a buffer overflow and was curios of whether it's
exploitable or rather simply a bug. Essentially the code looks like:
logHandler = NULL;
if(logFlag = 1)
{
static char logFileName[_MAX_PATH];
::strcpy(logFileName, Path::GetExePath());
::strcat(logFileName, "security.log");
logHandler = fopen(logFileName, "w");
}
This is WIN32 programming so I did some searching and found that _MAX_PATH
is defined as a constant in Windows.pas as 260 characters. The
"GetExePath()" function returns the PATH in which the application is being
run from within (e.g. c:\program files\app). Windows is restricting this
PATH length to 260 characters (least I presume its 260 because of
Windows.pas).
Any ways, since this code strcpy's and then strcat's "security.log" to the
application's PATH, I noted this could result in a buffer overflow, in the
variable "logFileName", in the event that the applications PATH is larger
then 248 characters. Which is valid as its less then the Windows defined 260
characters. However, my question is: apart from putting the application in a
PATH of greater then 248 characters in length, is there a way to intercept
"GetExePath" and feed it a bogus PATH length in order cause an exploitable
buffer overflow or some other attack that would be security related?
Appreciate any input. Thanks.
-Secterm
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
Received on Aug 03 2002
Intro
