Vulnerability Development mailing list archives
Re: format-string exploit under Wndows?
From: sgp () TELSATGP COM PL (Slawek)
Date: Thu, 13 Jul 2000 15:11:55 +0200
On Thursday, July 13, 2000 2:37 PM, Bluefish wrote:
sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg); fprintf(stderr, errmsg); The important for me is fprintf() without proper format string. So is it possible to exploit that vulnerbility in fprintf() by putting some evil code to 'prg' ? Assuming it is less than 1024 because of buffer overflow in sprintf() :)Under Unix, you don't want people to be able to write to a terminal unfiltered because it can be used to send commands like "rm -rf /" through ANSI features (or whatever terminal mode is in use)
Well, I think this time it is not about ANSI bombs but formatting errors. %s %n etc. can be put in "prg" and I'm almost sure this can be exploited. On the other hand there's no need for such exploits - make is executed with the same privileges that the user who is invoking it and only he could exploit it. Why should he do it? What could he gain from this? Bye, Slawek
Current thread:
- Blue Boars question... Thomas Dullien (Jul 04)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Probally Bug in latest Bind : remote overwrite dns table entries Rodrick Brown (Jul 11)
- Re: Blue Boars question... Thomas Dullien (Jul 10)
- format-string exploit under Wndows? Tomasz Grabowski (Jul 11)
- Re: format-string exploit under Wndows? Bluefish (Jul 13)
- Re: format-string exploit under Wndows? Slawek (Jul 13)
- Re: format-string exploit under Wndows? Bluefish (Jul 17)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)