Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Ares FileShare 1.1 'Long Searched String' Buffer Overflow Vulnerabili

from [kozan] Network Security [Permanent Link]
Subject: Ares FileShare 1.1 'Long Searched String' Buffer Overflow Vulnerability
Date: 25 Jul 2005 20:30:41 -0000 
Ares FileShare 1.1 'Long Searched String' Buffer Overflow Vulnerability



I. BACKGROUND

Ares Fileshare is one of the most popular P2P application around the world. 
With Ares Fileshare you can connect to several established P2P-networks, 
which will yield more search results with less effort. One of the beauties 
with Ares Fileshare is that you don't have to share files in order to search 
and download, in other words -- you'll be started within seconds.

More information can be found at the following link:




II. DESCRIPTION

Remote and/or exploitation of a buffer overflow vulnerability in Ares FileShare
could allow execution of arbitrary code.

A specially crafted .conf file (ares.conf - configuration file of Ares 
FileShare)
containing long searched strings history information or entering a long string 
for Search can cause Ares FileShare to overwrite stack space.

No checks are made on the length of data being copied, When a string data is 
longer 
than 1065 bytes (1066 or longer), allowing the return address on the stack to 
be 
overwritten (in UNICODE).



III. ANALYSIS

Successful exploitation allows remote and/or local attackers to execute 
arbitrary
code in the context of the target user that opened the malicious configuration 
file
or entering specially crafted search data.

After this when user starts Ares FileShare program and selects this malicious
entry from Search Listbox, buffer overflow occurs.

An example malicious ares.conf file is that contains long searc history data:

history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE) 
]AA...\r\n

The data that is written onto the stack is in the form: 0x00410041

41s in hexadecimal = 'A's are controlled by the input. While this
tends to make exploitation more difficult, it does not prevent it, as it
may be possible for an attacker to cause controlled data to be put into
a memory location matching the required format.



IV. DETECTION

Ares FileShare 1.1 is vulnerable. Earlier versions strongly might be 
vulnerable to this issue.



V. WORKAROUND

User awareness is the best method of defense against this class of
attack. Users must be wary when opening files from untrusted sources.

When possible, run client software, as regular user accounts with
limited access to system resources. This may limit the immediate
consequences of client-side vulnerabilities.



Discovered by Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Ares FileShare 1.1 'Long Searched String' Buffer Overflow Vulnerability, kozan <=
Previous by Date:  [Full-disclosure] [USN-154-1] vim vulnerability, Martin Pitt
Next by Date:  fetchmail security announcement fetchmail-SA-2005-01, Matthias Andree
Previous by Thread:  [Full-disclosure] [USN-154-1] vim vulnerability, Martin Pitt
Next by Thread:  fetchmail security announcement fetchmail-SA-2005-01, Matthias Andree
Indexes:  [Date] [Thread] [Top] [All Lists]