Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Ares FileShare Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Ares FileShare Buffer Overflow
Date: 14 Aug 2005 17:44:45 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Ares FileShare Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.aresfileshare.com/> Ares Fileshare is "a P2P application that 
supports connecting to several P2P networks eg, Gnutella and OpenFT".

A buffer overflow vulnerability has been discovered in Ares FileShare 
software. The buffer overflow can be triggered whenever the program 
initiates a search containing an arbitrarily long string.

DETAILS

Vulnerable Systems:
 * Ares FileShare version 1.1

Exploitation of a buffer overflow vulnerability in Ares FileShare could 
allow execution of arbitrary code. A specially crafted .conf file 
(ares.conf - configuration file of Ares FileShare) containing long 
searched strings history information or entering a long string for Search 
can cause Ares FileShare to overwrite stack space. No checks are made on 
the length of data being copied, When a string data is longer than 1065 
bytes (1066 or longer), allowing the return address on the stack to be 
overwritten (in UNICODE).

Successful exploitation allows remote and local attackers to execute 
arbitrary code in the context of the target user that opened the malicious 
configuration file or entering specially crafted search data. After this 
when user starts Ares FileShare program and selects this malicious entry 
from Search Listbox, buffer overflow occurs.

An example malicious ares.conf file is that contains long search history 
data:
history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE) 
]AA...\r\n

The data that is written onto the stack is in the form: 0x00410041

41s in hexadecimal = 'A's are controlled by the input. While this tends to 
make exploitation more difficult, it does not prevent it, as it may be 
possible for an attacker to cause controlled data to be put into a memory 
location matching the required format.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:kozan@spyinstructors.com> 
kozan.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Ares FileShare Buffer Overflow, SecuriTeam <=
Previous by Date:  [NT] Nortel Contivity VPN Client Privilege Escalation, SecuriTeam
Next by Date:  [TOOL] Windows TCP/IP Stack Hardening Tool, SecuriTeam
Previous by Thread:  [NT] Nortel Contivity VPN Client Privilege Escalation, SecuriTeam
Next by Thread:  [TOOL] Windows TCP/IP Stack Hardening Tool, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]