Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: format-string exploit under Wndows?

From: 11a () GMX NET (Bluefish)
Date: Thu, 13 Jul 2000 14:37:14 +0200


sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);
fprintf(stderr, errmsg);
The important for me is fprintf() without proper format string.
So is it possible to exploit that vulnerbility in fprintf() by putting
some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
overflow in sprintf() :)
Someone has tried something like this with his own Windows?
Hints?


Under Unix, you don't want people to be able to write to a terminal
unfiltered because it can be used to send commands like "rm -rf /" through
ANSI features (or whatever terminal mode is in use)

For MS/PC-DOS, you were carefull NOT to load ANSI.SYS if you e.g. were
hosting a BBS. That was because "ANSI-Bombs", very similar to the unix
problems, could be sent then. "type ansibomb.txt" or "pkunzip
ansibomb.zip" could be enough to wipe out your entire BBS. But if you
simply didn't load ANSI.SYS, you were safe.

To the best of my knowledge, the same is true for Windows. If you don't
load ANSI support, you are safe. This should of course be verified before
trusting my words blindly ;) Anyone tried ansibombs against Windows9x or
NT?

On PS/2, ANSI is supported directly by the terminal. (you don't have to
load ANSI.SYS) I don't know if it's vulnerable though.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: