Re: Format Bugs in Windows Code?

["Bluefish (P.Magnusson)" <11a () GMX NET>]

IMHO, this is an issue with similarities to doing secure popen, secure
cgi's etc etc. What we've seen among those softwares are that although at
first glance everything appears to be secure, but things really done
properly anyway.

Or to put into other words, sending %s%s%s%s%s%s will work with

  fgets(stdin,size,str);
  printf(str);

which should be easy to track down. But I'm betting a dollar or two that
we will find far less obvious misstakes, where it is much harder to find
the bugs. I mean, we could actually have something like:

  fgets(stdin,size,str);
  printf("%s",str);
  .
  .
  lots of lines later in a branch rarely taken:
  printf(str);

And so on - I gaurantee that there are more ways to write hard to find
bugs, especially if the source isn't available... Comments?

> > Fair enough.  It does seem more difficult to detect a format bug in
> > binary code than to detect overflowable buffers.  The "fuzz" approach
> > of barfing long strings at every available orifice detects
> > overflowable buffers, but you have to do something more deft to detect
> > format bugs.
>
> Is there any reason why using strings "polluted" with format tags should
> not work? Repeated %s's or %n's are probably the best choice because it
> is very likely a vulnerable program will go down in flames when it tries
> to interpret such a string.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team