Posts

Showing posts from June, 2018

2 tiny bugs in sqlmap

I was at SecTalks-Canberra tonight and a workshop was being given on SQL injection. The speaker was talking about sqlmap, so I thought instead of spending the time doing the actual workshop content, which was quite good, I thought would have a quick look at the sqlmap code.

sqlmap/extra/icmpsh/icmpsh-s.c
int main(int argc, char **argv) {
...         unsigned int max_data_size; ...         // parse command line options         for (opt = 1; opt < argc; opt++) {                 if (argv[opt][0] == '-') {                         switch(argv[opt][1]) { ...                                 case 's':                                         if (opt + 1 < argc) {                                                 max_data_size = atol(argv[opt + 1]);                                         }                                         break;
...         in_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE);         out_buf = (char *) malloc(max_data_size + ICMP_HEADERS_SIZE); +++ integer overf…

NetBSD NFS Kernel Vulnerability

This was from InfoSect's first group auditing session.

http://mail-index.netbsd.org/source-changes/2018/01/25/msg091481.html

There must be a lot of embedded NetBSD systems running NFS..