Vulnerability Development mailing list archives

Re: Blue Boars question...

From: core.lists.exploit-dev () CORE-SDI COM (Gerardo Richarte)
Date: Mon, 10 Jul 2000 15:35:37 -0300


Thomas Dullien wrote:


If you recap what we can do, you'll find out that most format strings we
supply could just pop more stuff off the stack and thus crash the
application.


        I'm not so sure about this...
        If you are using C calling convention (as almost everybody here is)
the caller is responsible for restoring the stack after the call, not the
callee.
        In fact, this line of code will compile/link/and work just fine:

        printf("%p%p%p%p%p%p%p%p%p%p%p");

        it will print stack's contents, but not crash, because the caller
exactly knows (: that it pushed just 1 argument, so it will pop only 1 arg.
        however, it is true that you can, almost certainly, crash a program
by changing a format string, just use a lot of '%s' and if you hit a
memory pointer not currently mapped, the formatting function will collapse.

But if you look at the (v/s/n)printf specifications you'll notice one
certain format parameter: "%n"...

"%n" will write the number of bytes written so far into the memory location
pointed to by the corresponding variable on the stack.


         I would like to bring something into attention here:

        the n version of this functions will write not the " numbers of bytes
written so far..." as you (and man pages) say, but the number of bytes that
whould have been writen so far IF THERE WAS SPACE FOR IT... meaning:

        snprintf(buf,1,"%.10000d%d",&anInt)

        will write 10000 in anInt, even when buf's size is said to be 1

        I think this was a decision taken so moving to 'n functions' is
a little easier: %n is filled with the same values whether you are using
a 'n function' or a normal function.

        I would vote for not calling this kind of bugs 'buffer overflows' or
so, cause there is no need to overflow the buffers to exploit this, I'll use
"input validation error", as CERT and many more do, until somebody finds a
better name for it...

        richie

--- For a personal reply use gera () core-sdi com

Current thread:

Blue Boars question... Thomas Dullien (Jul 04)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)
  - Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
    - Re: Probally Bug in latest Bind : remote overwrite dns table entries Rodrick Brown (Jul 11)
  - Re: Blue Boars question... Thomas Dullien (Jul 10)
    - format-string exploit under Wndows? Tomasz Grabowski (Jul 11)
    - Re: format-string exploit under Wndows? Bluefish (Jul 13)
    - Re: format-string exploit under Wndows? Slawek (Jul 13)
    - Re: format-string exploit under Wndows? Bluefish (Jul 17)