Re: Format Bugs in Windows Code?

[Crispin Cowan <crispin () WIREX COM>]

"Bluefish (P.Magnusson)" wrote:

> > I see no reason why this class of
> > bugs should be restricted to UNIX code.
>
> Depends on how the compiler implements vargs?

Is that actually true?  It seems to me that if the compiler implements varargs at all, then it
is exploitable.


> > However, I also cannot recall
> > seeing a format bug announced for Windows yet.
>
> Far less windows source is open source ;)

Fair enough.  It does seem more difficult to detect a format bug in binary code than to detect
overflowable buffers.  The "fuzz" approach of barfing long strings at every available orifice
detects overflowable buffers, but you have to do something more deft to detect format bugs.


> Anyone keeping records of when these bugs were first realized & discoved?

I log everything I get.  The first clue I can find of format bugs is this June 23 2000 Bugtraq
post
http://www.securityfocus.com/templates/archive.pike?mid=66544&threads=0&end=2000-06-25&start=2000-06-19&list=1&fromthread=0&;

which in turn refers to the wuftpd exploit posted by tf8
http://www.securityfocus.com/templates/archive.pike?mid=66367&threads=0&end=2000-06-25&start=2000-06-19&list=1&fromthread=0&;

The comments in the code claim to come from October 15, 1999.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games