The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Ares FileShare Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.aresfileshare.com/> Ares Fileshare is "a P2P application that
supports connecting to several P2P networks eg, Gnutella and OpenFT".
A buffer overflow vulnerability has been discovered in Ares FileShare
software. The buffer overflow can be triggered whenever the program
initiates a search containing an arbitrarily long string.
DETAILS
Vulnerable Systems:
* Ares FileShare version 1.1
Exploitation of a buffer overflow vulnerability in Ares FileShare could
allow execution of arbitrary code. A specially crafted .conf file
(ares.conf - configuration file of Ares FileShare) containing long
searched strings history information or entering a long string for Search
can cause Ares FileShare to overwrite stack space. No checks are made on
the length of data being copied, When a string data is longer than 1065
bytes (1066 or longer), allowing the return address on the stack to be
overwritten (in UNICODE).
Successful exploitation allows remote and local attackers to execute
arbitrary code in the context of the target user that opened the malicious
configuration file or entering specially crafted search data. After this
when user starts Ares FileShare program and selects this malicious entry
from Search Listbox, buffer overflow occurs.
An example malicious ares.conf file is that contains long search history
data:
history = AAAAA.....[ A x 1065 bytes (where the EIP starts in UNICODE)
]AA...\r\n
The data that is written onto the stack is in the form: 0x00410041
41s in hexadecimal = 'A's are controlled by the input. While this tends to
make exploitation more difficult, it does not prevent it, as it may be
possible for an attacker to cause controlled data to be put into a memory
location matching the required format.
ADDITIONAL INFORMATION
The information has been provided by <mailto:kozan@spyinstructors.com>
kozan.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment