I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.
Then I fuzz this service and found a nice DoS.
A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.
I have reported it to the coders, and then they give me the ok to launch the advisory:
advisory
exploit
Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)
code has bugs ;)
my PSI jabber file transfer service was exposed to internet.
Then I fuzz this service and found a nice DoS.
A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.
I have reported it to the coders, and then they give me the ok to launch the advisory:
advisory
exploit
Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)
code has bugs ;)
Comentarios
I haven't checked it in detail but I found it a little bit weird to have this kind of control over a memcpy() and the 'best' attack could result just a DoS.
I might be wrong though.
you can cotrol the data to be copied by the memcpy, and also yout can say the amount of bytes to copy.
but, the destination buffer, is resized to the same amount of bytes to be copied.
Then there is not a heap overflow, unless the c++ resize implementation allocate less space that should.