Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities
From: v9@xxxxxxxxxxx
Date: 23 May 2007 00:11:29 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

> Although the vulnerabilities are hard to exploit, > it's not impossible.
> There are some restrictions to bypass:
> 
> - The path name is formated in Unicode, so we have to find an opcode in an 
> address with an unicode format
> - The shellcode has to be in the path name so we have to use an Alphanumeric 
> shellcode

What's to stop someone from encoding the path(shellcode) in unicode(using both 
bytes of unicode/no null bytes)? Also, is there a special situation why it has 
to be strictly alphanumeric? Because, in general this is not the case.

I've worked with these guidelines myself in the 
past(http://fakehalo.us/xfinder-ds.pl), and I see no specific issue with doing 
similar for this, unless information to the contrary isn't included.

Follow-Ups:
- Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities
  - From: Ismael Briones

Prev by Date: [USN-462-1] PHP vulnerabilities
Next by Date: [ MDKSA-2007:108 ] - Updated gimp packages fix stack overflow in sunras plugin
Previous by thread: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities
Next by thread: Re: NOD32 Antivirus Long Path Name Stack Overflow Vulnerabilities
Index(es):
- Date
- Thread