ncpfs buffer overflow

To: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: ncpfs buffer overflow
From: Karol Więsek <appelast@xxxxxxxxxxxxxxxx>
Date: Mon, 29 Nov 2004 13:58:02 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 0.9 (X11/20041103)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is buffer overflow in ncplogin and ncpmap in nwclient.c.


static void strcpy_cw(wchar_t *w, const char* s) {
~        while ((*w++ = *(const nuint8*)s++) != 0);
}

NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];

~  if (!treeName)
~      return ERR_NULL_POINTER;

~  strcpy_cw (wc_treeName,treeName);

Currently i have not managed to successfully exploit this bug on x86.

How to reproduce :

ncplogin -T `perl -e '{print"a"x"330"}'`
ncpmap -T `perl -e '{print"a"x"330"}'` /

Tested on ncpfs-2.2.4-1 from fedora core 2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqxzaFTSet8AbQUQRAiycAJ4+5YDHawXMrXiu2wPHt6IRN2Xx0wCeM7vm
LpGHtO/7DHkoRO18OQwve4M=
=YwvU
-----END PGP SIGNATURE-----

Prev by Date: Macromedia provided wrong "Solution" in mpsb02-08
Next by Date: [SECURITY] [DSA 601-1] New libgd1 packages fix arbitrary code execution
Previous by thread: Macromedia provided wrong "Solution" in mpsb02-08
Next by thread: [SECURITY] [DSA 601-1] New libgd1 packages fix arbitrary code execution
Index(es):
- Date
- Thread