Re: Format Bugs in Windows Code?

["Bluefish (P.Magnusson)" <11a () GMX NET>]

> > Depends on how the compiler implements vargs?
> Is that actually true?  It seems to me that if the compiler implements varargs at all, then it
> is exploitable.

So far there is at least two of us who has purposed the idea of vargs not
being of "unlimited" size, but actually also contain a "length" field. It
most certainly become tricky to modify the return address if functions
such as printf refuses to take any more, or less, arguments than actually
was supplied to the function.

OK, there are problems. user-supplied %s will still be likely to crash the
application, all object files must be recompiled etc etc. But is there
really any way to modify return address (EIP)? I think not.

So if you code for a totally new architecture / operating system, you
really should consider if the current vargs implemention is the best
choice.  Perhaps a solution for StackGuard implementation as well.

If I'm wrong, or this is harder to implement than I think, I would love to
hear your opinion on the subject.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team