Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [FDSA] Sort - Critical Format String Vulnerability

From: reepex <reepex () gmail com>
Date: Fri, 18 Jan 2008 11:39:10 -0600
LOL you are an idiot

could you please google format string 101, read the printf man page, and
leave security forever

On Jan 18, 2008 1:45 AM, Tonnerre Lombard <tonnerre.lombard () sygroup ch>
wrote:


Salut, Fredrick,

On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
<fdiggle () gmail com> wrote:

The following output shows a manafestation of this vulnerability:

C:\>sort AAAA%x.%x.%x.%x
AAAA7c812f39.0.0.41414141The system cannot find the file specified.


This is actually confirmed on Windows 2000 and XP.


This vulnerability can be trivially exploited to execute arbitrary
code on the computer machine.


There I don't agree however, it is a simple memory reading
vulnerability.


The following command line will use sort.exe to execute the windows
calculator.

C:\>sort CALC.EXE%x%x%x%n | calc


That's not very surprising since you pipe into the calculator so it is
spawned by the shell.


Severity: Quite High


There I don't agree. In theory, there should not be anything important
in the memory of the sort process which is not already known to the
user executing it anyway. It is clearly a bug though, and wants to be
fixed. So congratulations to a working, though overdramatizised,
discovered format string vulnerability.

                               Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33            Güterstrasse 86
Fax:+41 61 383 14 67            4053 Basel
Web:www.sygroup.ch              tonnerre.lombard () sygroup ch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: