Vulnerability Development mailing list archives

Re: Windows XP multiple local buffer overflows and format string bugs

From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Mon, 25 Oct 2004 19:52:23 +0200 (CEST)

Hi guys, little come back after a moving.

I don't remember to have seen these details, sorry if i'm wrong.


You obviously haven't read the lists then:
http://seclists.org/lists/bugtraq/2004/Oct/0045.html
I wrote about windows local BoF and formatstrings a few weeks back and
included a simple command to test for these. Also, I've tried to exploit a
few and it's pretty hard to actually do that for a very simple program
like sort.

Cheers,
SkyLined


AUTHOR
Komrade

DATE
08/10/2004

PRODUCT
Windows XP
Tested on Windows XP Service Pack 2, prior versions should have the same
bugs.

DETAILS
Here is a list of some Windows XP utilities that are vulnerable to local
buffer overlows and format string bugs.
These programming errors, alone, are not security vulnerabilities (you
need local access and you don't gain more privilege), but they could
became serious security issues if someone has the possibility to remotely
start a program with at least a parameter (what happens with the "shell:"
protocol security issue in the Mozilla browser prior to version 1.7.3,
that permits to remotely execute a program and pass to it parameters).

These informations have been disclosed to inform you that if a new
vulnerability will be discovered which allows remote execution of programs
(passing parameters), all Windows XP operating system will be affected by
several remote buffer overflows and format string vulnerabilities allowing
remote code execution.

Buffer Overlow in immc.exe
POC
c:\> immc.exe aaaaaaaaaa(285 'a' characters)

Buffer Overlow in eventvwr.exe (UNICODE)
POC
c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters)

Buffer Overlow in netsetup.exe
POC
c:\> netsetup.exe aaaaaaaaaa(285 'a' characters)

Buffer Overlow in mrinfo.exe
POC
c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters)

Format String in sort.exe
POC
c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n


SCAN TOOL

This tool scans your pc, checking if it is affected by one of this local
bugs.
This tool only makes a system() call, starting the vulnerable programs
with the opportune parameters.

http://unsecure.altervista.org/security/xplocalscan.c

Regards,
Jerome
-------------null

C est le moment de dynamiser votre boîte mail en découvrant les offres
CaraMail Premium - http://www.caramailmax.com

Current thread:

Windows XP multiple local buffer overflows and format string bugs Jérôme ATHIAS (Oct 25)
- Re: Windows XP multiple local buffer overflows and format string bugs Berend-Jan Wever (Oct 25)