Formatting bugs (was BitchX /ignore bug)

[kotz () FLASH NET (Kotz)]

lamagra wrote a very good (if short) paper on this, you can find it on
packetstorm and it was also in a bugtraq post about a week ago. I
believe it was called format_bugs.txt or something to that effect.
Anyway, it IS possible to exploit this in a non-DoS way. lamagra did it
with his proftp exploit. However, some conditions have to be met first.
Mainly that there be user defined data on the stack. The idea is to use
%n (which writes the number of bytes that have been printed to whatever
is next on the stack) to overwrite an address (the address of your
string, which would be a pointer to something important and worth
overwriting). In the proftp exploit I mentioned earlier, he used %n to
change the saved uid to 0 and then corrupted the anonymous configuration
so write access was enabled, which of course allows creating a backdoor.

Anyway, the point is, you don't have to use shellcode, but you do have
to get lucky. I definitely recommend reading the stuff lamagra has
written about these kinds of bugs (the ftpd: the advisory version thread
on bugtraq is good too.) cause I am certainly no expert.

Cheers,
Robert