<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>thx to mr wysopal at vulnwatch for the
bugfixed release:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Application: Netcat for Windows 1.1<BR>
Platform: Windows NT/2000/XP/2003<BR> Severity: Remote code
execution<BR> Status: Fixed, new version
available<BR> Date:
12/27/2004<BR><BR><BR>Summary<BR><BR>Netcat for Windows 1.1 has a buffer
overflow vulnerability that allows<BR>remote execution of code. It is exposed
when netcat is run using the -e<BR>option which execs a process and pipes the
listening socket io to the<BR>stdio of the exec'd process.<BR><BR>Note that this
issue does not exist in netcat for the unix
platform.<BR><BR><BR>Details<BR><BR>doexec.c (line 445) was missing a check to
see if BufferCnt had<BR>incremented past the end of the recieve buffer.
With the check in place<BR>the buffer is flushed before it overwrites the
end. The following new<BR>line adds the check.<BR><BR> if
(RecvBuffer[0] == '\n' || RecvBuffer[0] == '\r'
||<BR> BufferCnt > BUFFER_SIZE-1)
{<BR><BR><BR>Update<BR><BR>A fixed version, Netcat for Windows 1.11, is
available at:<BR><A
href="http://www.vulnwatch.org/netcat/">http://www.vulnwatch.org/netcat/</A><BR><BR><BR>Credit<BR><BR>Hat
Squad discovered this vulnerabiltiy. Hat Squad's advisory is<BR>available
at <A
href="http://www.hat-squad.com/en/000142.html">http://www.hat-squad.com/en/000142.html</A><BR><BR><BR><BR></DIV></FONT>
<DIV><FONT face=Arial
size=2>-------------------------------------------------------------<BR>class101<BR>Hat-Squad.com<BR>-------------------------------------------------------------</FONT></DIV></BODY></HTML>