Broadcast buffer-overflow in Vypress Messenger 3.5.1

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: Broadcast buffer-overflow in Vypress Messenger 3.5.1
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Fri, 1 Oct 2004 19:24:15 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  Vypress Messenger
              http://www.vypress.com/products/messenger/
Versions:     <= 3.5.1
Platforms:    Windows
Bug:          buffer overflow
Risk:         critical
Exploitation: remote, broadcast
Date:         01 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Vypress Messenger is an intranet Windows application for exchanging
messages.


#######################################################################

======
2) Bug
======


A visualization function in the program is affected by a
buffer-overflow bug exploitable using 776 chars in the field #1 of a
message.

Due to the intranet nature of the program is possible to exploit any
host in the LAN simply sending the malicious message to a broadcast
address.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/vymesbof.zip


#######################################################################

======
4) Fix
======


Version 4.0 RC1:

  http://www.vypress.com/previews/


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Prev by Date: EEYE: RealPlayer pnen3260.dll Heap Overflow
Next by Date: Re: Possible GDI Exploit Vector
Previous by thread: Re: EEYE: RealPlayer pnen3260.dll Heap Overflow
Next by thread: MDKSA-2004:104 - Updated samba packages fix vulnerability
Index(es):
- Date
- Thread