Vulnerability Development mailing list archives
Re: Format Bugs in Windows Code?
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Wed, 13 Sep 2000 12:36:05 +0200
IMHO, this is an issue with similarities to doing secure popen, secure cgi's etc etc. What we've seen among those softwares are that although at first glance everything appears to be secure, but things really done properly anyway. Or to put into other words, sending %s%s%s%s%s%s will work with fgets(stdin,size,str); printf(str); which should be easy to track down. But I'm betting a dollar or two that we will find far less obvious misstakes, where it is much harder to find the bugs. I mean, we could actually have something like: fgets(stdin,size,str); printf("%s",str); . . lots of lines later in a branch rarely taken: printf(str); And so on - I gaurantee that there are more ways to write hard to find bugs, especially if the source isn't available... Comments?
Fair enough. It does seem more difficult to detect a format bug in binary code than to detect overflowable buffers. The "fuzz" approach of barfing long strings at every available orifice detects overflowable buffers, but you have to do something more deft to detect format bugs.Is there any reason why using strings "polluted" with format tags should not work? Repeated %s's or %n's are probably the best choice because it is very likely a vulnerable program will go down in flames when it tries to interpret such a string.
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Format Bugs in Windows Code? Crispin Cowan (Sep 08)
- Re: Format Bugs in Windows Code? Iván Arce (Sep 12)
- Re: Format Bugs in Windows Code? Bluefish (P.Magnusson) (Sep 12)
- Re: Format Bugs in Windows Code? Crispin Cowan (Sep 12)
- Re: Format Bugs in Windows Code? Bluefish (P.Magnusson) (Sep 12)
- Re: Format Bugs in Windows Code? Pavel Kankovsky (Sep 12)
- Re: Format Bugs in Windows Code? Bluefish (P.Magnusson) (Sep 13)
- Re: Format Bugs in Windows Code? Daniel Jacobowitz (Sep 12)
- Re: Format Bugs in Windows Code? Crispin Cowan (Sep 12)
- <Possible follow-ups>
- Re: Format Bugs in Windows Code? Michael Wojcik (Sep 12)
- Re: Format Bugs in Windows Code? Thomas Dullien (Sep 12)
- Re: Format Bugs in Windows Code? Scott Hardy (Sep 12)
- Re: Format Bugs in Windows Code? Michael Wojcik (Sep 12)