Testing Exploitable Buffer Overflows From Open Source Code Test suite #88
DownloadDescription
Zitser, Lippmann, and Leek extracted 14 model programs from internet applications (BIND, Sendmail, WU-FTP) with known buffer overflows. These models have the portion of code with the overflows. Patched versions are also included. Examples of using these are in "Using Exploitable Buffer Overflows From Open Source Code" 2004.
Displaying test cases 1 - 25 of 28 in total
-
Off-by-one overflow in fb_realpath() CAN-2003-0466. From MIT benchmarks (models/wu-ftpd/f2) An off-by-one overflow inside the fb_realpath() function that expands a condensed pathname into a fully qualified pathname. To exploit this vulnerability, an attacker would first have to create a deep dir...
-
Off-by-one overflow in fb_realpath() CAN-2003-0466. PATCHED version. From MIT benchmarks (models/wu-ftpd/f2) An off-by-one overflow inside the fb_realpath() function that expands a condensed pathname into a fully qualified pathname. To exploit this vulnerability, an attacker would first have to ...
-
Realpath() overflow CERT advisory: CA-1999-03/CVE-1999-0368. From MIT benchmarks (models/wu-ftpd/f3) A path overflow inside realpath() function that canonicalizes a pathname. To exploit this vulnerability, an attacker would first have to create a deep directory structure. Bad file: realpath-2.4...
-
Realpath() overflow CERT advisory: CA-1999-03/CVE-1999-0368. PATCHED version. From MIT benchmarks (models/wu-ftpd/f3). A path overflow inside realpath() function that canonicalizes a pathname. To exploit this vulnerability, an attacker would first have to create a deep directory structure. Patc...
-
Mapped CHDIR overflow CA-1999-13, CVE-1999-0878. From MIT benchmarks (models/wu-ftpd/f1) Unchecked strcpy and strcat calls that copy tainted pathnames into a buffer. Bad file: mapped-path-bad.c Bad line number: 107. path[] overflow. Taxonomy Classification : 0000100601130000051410 Bad line nu...
-
Mapped CHDIR overflow CA-1999-13, CVE-1999-0878. Patched version. From MIT benchmarks (models/wu-ftpd/f1) Unchecked strcpy and strcat calls that copy tainted pathnames into a buffer. Patched file: mapped-path-ok.c Patched line number: 102, 144, 148, 167
-
nslookupComplain vulnerability: CA-2001-02. From MIT benchmarks (models/bind/b4) Unchecked sprintf call. An attacker may be able to construct a long query that overflows the stack buffer and overwrites the return address of nslookupComplain with the address of the attacker"s shell code. Bad file...
-
nslookupComplain vulnerability: CA-2001-02. Patched version. From MIT benchmarks (models/bind/b4) Unchecked sprintf call. An attacker may be able to construct a long query that overflows the stack buffer and overwrites the return address of nslookupComplain with the address of the attacker"s she...
-
SIG-BUG: CA-1999-14. From MIT benchmarks (models/bind/b2) A buffer overflow caused by improper handling of SIG records Bad file: sig-bad.c Bad line number: 561 Taxonomy classification : 0060301212004
-
SIG-BUG: CA-1999-14. Patched version. From MIT benchmarks (models/bind/b2) A buffer overflow caused by improper handling of SIG records Patched file: sig-ok.c Patched line number: 538
-
NXT-BUG: CA-1999-14. From MIT benchmarks (models/bind/b1) A buffer overflow in memcpy function in the code handling NXT resource records. Bad file: nxt-bad.c Bad line number: 405 Taxonomy classification : 0060301212004
-
NXT-BUG: CA-1999-14. Patched version. From MIT benchmarks (models/bind/b1) A buffer overflow in memcpy function in the code handling NXT resource records. Patched file: nxt-ok.c Patched line number: 455
-
IQUERY-BUG CA-98.05, CVE-1999-0009. From MIT benchmarks (models/bind/b3) A buffer overflow resulting from improperly bounds checking a memcpy call when responding to inverse query requests. Bad file: iquery-bad.c Bad line number: 135 Taxonomy classification: 0000301200004
-
IQUERY-BUG CA-98.05, CVE-1999-0009. Patched version. From MIT benchmarks (models/bind/b3) A buffer overflow resulting from improperly bounds checking a memcpy call when responding to inverse query requests. Patched file: iquery-ok.c Patched line number: 142
-
Remote Sendmail Header Processing Vulnerability: CA-2003-07 From MIT benchmarks (models/sendmail/s1) Buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending e-mails with cleverly formatted address fields related to the sender and recipient header comments. ...
-
Remote Sendmail Header Processing Vulnerability: CA-2003-07 Patched version. From MIT benchmarks (models/sendmail/s1) Buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending e-mails with cleverly formatted address fields related to the sender and recipient ...
-
Gecos Overflow: CVE-1999-0131. From MIT benchmarks (models/sendmail/s2) A buffer overflow in the code that handles user"s gecos field (real name field) which is found in the password file. Bad file: util-bad.c Bad line numbers: 184, 308 Taxonomy classification: 0000406321103
-
Gecos Overflow: CVE-1999-0131. Patched version. From MIT benchmarks (models/sendmail/s2) A buffer overflow in the code that handles user"s gecos field (real name field) which is found in the password file. Patched file: recipient-ok.c Patched line numbers: 184, 308 Patched file: util-ok.c Pat...
-
Sendmail 8.8.0/8.8.1 MIME Overflow CVE-1999-0206. From MIT benchmarks (models/sendmail/s3) A remote attacker can send a cleverly crafted e-mail message and trigger a buffer overflow, gaining root access on the server running Sendmail. Bad file: mime1-bad.c Bad line number: 239, 254, 266 Taxono...
-
Sendmail 8.8.0/8.8.1 MIME Overflow CVE-1999-0206. Patched version. From MIT benchmarks (models/sendmail/s3) A remote attacker can send a cleverly crafted e-mail message and trigger a buffer overflow, gaining root access on the server running Sendmail. Patched file: mime1-ok.c Patched line numbe...
-
Sendmail 8.8.3/8.8.4 MIME Overflow CVE-1999-0047. From MIT benchmarks (models/sendmail/s4) A remote attacker can send a cleverly crafted e-mail message and trigger a buffer overflow, gaining root access on the server running Sendmail. Bad file: mime2-bad.c Bad line number: 203, 216, 230, 234, 2...
-
Sendmail 8.8.3/8.8.4 MIME Overflow CVE-1999-0047. Patched version. From MIT benchmarks (models/sendmail/s4) A remote attacker can send a cleverly crafted e-mail message and trigger a buffer overflow, gaining root access on the server running Sendmail. Patched file: mime2-ok.c Patched line numbe...
-
prescan() overflow: CA-2003-12 From MIT benchmarks (models/sendmail/s5) The buffer overflow results from an unintended type cast from a signed character to a signed integer. Bad file: prescan-overflow-bad.c Bad line number: 399, 420, 519 Taxonomy Classification: 0000506111404
-
prescan() overflow: CA-2003-12 Patched version. From MIT benchmarks (models/sendmail/s5) The buffer overflow results from an unintended type cast from a signed character to a signed integer. Patched file: prescan-overflow-ok.c Patched line number: 404, 431, 535
-
tTflag Buffer Underrun: CVE-2001-0653. From MIT benchmarks (models/sendmail/s6) Due to a type casting side effect (assigning unsigned int to signed int), it is possible to write data to a negative index of a buffer. Bad file: tTflag-bad.c Bad line number: 170 To fix, declare indexes as unsigne...