Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [xfocus-SD-051202]openMotif libUil Multiple vulnerabil

from [alert7@xfocus.org] Network Security [Permanent Link]
Subject: [Full-disclosure] [xfocus-SD-051202]openMotif libUil Multiple vulnerability
Date: Fri, 02 Dec 2005 10:59:05 +0800 
Title:  [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/

xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:

1: libUil.so diag_issue_diagnostic buffer overflow

Clients/uil/UilDiags.c
diag_issue_diagnostic()
    202 void    diag_issue_diagnostic
    203             ( int d_message_number, src_source_record_type
*az_src_rec,
    204               int l_start_column, ...)
    205
    206 {
    207     va_list     ap;                     /* ptr to variable
length parameter */
    208     int         severity;               /* severity of message */
    209     int         message_number;         /* message number */
    210     char        msg_buffer[132];        /* buffer to construct
message */
    211     char        ptr_buffer[buf_size];   /* buffer to construct
pointer */
    212     char        loc_buffer[132];        /* buffer to construct
location */
    213     char        src_buffer[buf_size];   /* buffer to hold source
line */
......
    293     va_start(ap, l_start_column);
    294
    295 #ifndef NO_MESSAGE_CATALOG
    296[1.1]     vsprintf( msg_buffer,
    297               catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
    298                       diag_rz_msg_table[ message_number ].ac_text),
    299              ap );
    300 #else
    301[1.2]     vsprintf( msg_buffer,
    302               diag_rz_msg_table[ message_number ].ac_text,
    303               ap );

    304 #endif
    305     va_end(ap);

[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .

2: libUil.so open_source_file buffer voerflow

Clients/uil/UilSrcSrc.c

    620 status
    621 open_source_file( XmConst char           *c_file_name,
    622                   uil_fcb_type           *az_fcb,
    623                   src_source_buffer_type *az_source_buffer )
    624 {
    625
    626     static unsigned short       main_dir_len = 0;
    627     boolean                     main_file;
    628     int                         i;  /* loop index through
include files */
    629     char                        buffer[256];
    630
    631
    632     /* place the file name in the expanded_name buffer */
    633
    634[2.1]   strcpy(buffer, c_file_name);
    635
    636 /*    Determine if this is the main file or an include file.  */
    637
    638     main_file = (main_fcb == NULL);
    639
[2.1] like above

--EOF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [xfocus-SD-051202]openMotif libUil Multiple vulnerability, alert7@xfocus.org <=
Next by Date:  [Full-disclosure] iDefense Security Advisory 12.05.05: Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability, iDEFENSE Labs
Next by Thread:  [Full-disclosure] iDefense Security Advisory 12.05.05: Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability, iDEFENSE Labs
Indexes:  [Date] [Thread] [Top] [All Lists]