[21872] in bugtraq
Re: Telnetd AYT overflow scanner
daemon@ATHENA.MIT.EDU (der Mouse)
Wed Jul 25 18:23:14 2001
Date: Wed, 25 Jul 2001 16:18:00 -0400 (EDT)
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Message-Id: <200107252018.QAA25946@Twig.Rodents.Montreal.QC.CA>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
To: bugtraq@securityfocus.com
> /*
> * Telnetd AYT overflow scanner, by Security Point(R)
> * Bug found by scut of TESO Security
[...]
> * With Security Point(R) Scanner you can find and repair the
> * Vulnerabilities before the bad guys get in.
Does anyone else find it as ironic as I that this code contains
a..buffer overflow?
> char sendbuffer[5120*2];
> bzero(sendbuffer,sizeof(sendbuffer));
> for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
> sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
> }
Quite aside from the _horrible_ misuse of sprintf, this writes a NUL
one byte past the end of sendbuffer[].
I sure wouldn't trust anything about my system to code from whoever
wrote this. Just on a quick once-over, I see seven other things I
would say are wrong with it.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
