Vigil@nce - Solaris 10: buffer overflow of econvert and ecvt
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an attacker can control the number of digits of the
econvert() and ecvt() functions, he can generate a buffer overflow.
Severity: 1/4
Creation date: 24/05/2010
DESCRIPTION OF THE VULNERABILITY
Functions of the econvert() family (fconvert, gconvert, etc.) and
of the ecvt() family (fcvt, gcvt) convert a real number to a text
string:
econvert(real, ndigit, ...);
ecvt(real, ndigit, ...);
The ndigit parameter indicates the number of digit to store in the
string. However, if this parameter is over 512, a buffer overflow
occurs.
When an attacker can control the number of digits of the
econvert() and ecvt() functions, he can therefore generate a
buffer overflow. Depending on the program which uses
econvert()/ecvt(), he can then generate a denial of service or
execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Solaris-10-buffer-overflow-of-econvert-and-ecvt-9663