InfoSect's Month of Pointless Bonus Bugs (#31)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bonus Bug #31

In the package amideco, which is some kind of ami bios extractor we have a simple stack overfow. Not that useful since it's not running at privs, but maybe in some scenarios it's a client side..

       switch(AMIVer)
        {
        case 95:
                PartTotal = Xtract95(ptx, HelpID, ConstOff, Offset, argv[1]);
                        break;
        case 94:

...

byte Xtract95(FILE *ptx, byte Action, dword ConstOff, dword Offset, byte* fname)
        {

        FILE *pto;
        interfacing interface;
        byte    PartTotal = 0;
        PARTTag part;
        byte    Buf[64];
        byte    MyDirName[64]     =       "--DECO--";
        dword   i;
        byte    sLen = 0;

        byte    doDir   = 0;
        /*
        For the case of multiple 0x20 modules
        */
        byte    Multiple = 0, j = 0;


        sLen = StrLen(fname);
        for ( i = sLen; i > 0; i-- )
            {
                if( *(fname + i) == '/' || *(fname + i ) == '\\' ) { i++; break; }
            }

        memcpy(MyDirName, (fname + i), sLen - i);

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

Linux Kernel Infoleaks

InfoSect's Month of Pointless Bugs (#1, #2)