Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [FDSA] Sort - Critical Format String Vulnerability

From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Fri, 18 Jan 2008 08:56:00 -0500
Dear Lombard Retard,

Excellent analysis, except it is completely wrong LOLOLOLOL.

Try %n.

J

"Gratitude is a sickness suffered by dogs." - Gadi Evron

On Fri, 18 Jan 2008 02:45:41 -0500 Tonnerre Lombard 
<tonnerre.lombard () sygroup ch> wrote:

Salut, Fredrick,

On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
<fdiggle () gmail com> wrote:

The following output shows a manafestation of this 

vulnerability:


C:\>sort AAAA%x.%x.%x.%x
AAAA7c812f39.0.0.41414141The system cannot find the file 

specified.

This is actually confirmed on Windows 2000 and XP.


This vulnerability can be trivially exploited to execute 

arbitrary

code on the computer machine.


There I don't agree however, it is a simple memory reading
vulnerability.


The following command line will use sort.exe to execute the 

windows

calculator.

C:\>sort CALC.EXE%x%x%x%n | calc


That's not very surprising since you pipe into the calculator so 
it is
spawned by the shell.


Severity: Quite High


There I don't agree. In theory, there should not be anything 
important
in the memory of the sort process which is not already known to 
the
user executing it anyway. It is clearly a bug though, and wants to 
be
fixed. So congratulations to a working, though overdramatizised,
discovered format string vulnerability.

                              Tonnerre
-- 
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33           Güterstrasse 86
Fax:+41 61 383 14 67           4053 Basel


--
You'll be blown away. Click now for a high performance snow blower!
http://tagline.hushmail.com/fc/Ioyw6h4dZvl6gf9aEYJnZSNwcXWnkbXnADvQOMgzZEtqQhjoqC2Fpm/

Web:www.sygroup.ch             tonnerre.lombard () sygroup ch


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: