Vulnerability Development mailing list archives
Re: format-string exploit under Wndows?
From: 11a () GMX NET (Bluefish)
Date: Thu, 13 Jul 2000 14:37:14 +0200
sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg); fprintf(stderr, errmsg); The important for me is fprintf() without proper format string. So is it possible to exploit that vulnerbility in fprintf() by putting some evil code to 'prg' ? Assuming it is less than 1024 because of buffer overflow in sprintf() :) Someone has tried something like this with his own Windows? Hints?
Under Unix, you don't want people to be able to write to a terminal unfiltered because it can be used to send commands like "rm -rf /" through ANSI features (or whatever terminal mode is in use) For MS/PC-DOS, you were carefull NOT to load ANSI.SYS if you e.g. were hosting a BBS. That was because "ANSI-Bombs", very similar to the unix problems, could be sent then. "type ansibomb.txt" or "pkunzip ansibomb.zip" could be enough to wipe out your entire BBS. But if you simply didn't load ANSI.SYS, you were safe. To the best of my knowledge, the same is true for Windows. If you don't load ANSI support, you are safe. This should of course be verified before trusting my words blindly ;) Anyone tried ansibombs against Windows9x or NT? On PS/2, ANSI is supported directly by the terminal. (you don't have to load ANSI.SYS) I don't know if it's vulnerable though. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Blue Boars question... Thomas Dullien (Jul 04)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Probally Bug in latest Bind : remote overwrite dns table entries Rodrick Brown (Jul 11)
- Re: Blue Boars question... Thomas Dullien (Jul 10)
- format-string exploit under Wndows? Tomasz Grabowski (Jul 11)
- Re: format-string exploit under Wndows? Bluefish (Jul 13)
- Re: format-string exploit under Wndows? Slawek (Jul 13)
- Re: format-string exploit under Wndows? Bluefish (Jul 17)
- Probally Bug in latest Bind : remote overwrite dns table entries Gerrie (Jul 10)
- Re: Blue Boars question... Gerardo Richarte (Jul 10)