Full Disclosure mailing list archives
[FDSA] Sort - Critical Format String Vulnerability
From: "Fredrick Diggle" <fdiggle () gmail com>
Date: Thu, 17 Jan 2008 12:05:13 -0600
####################################################################### Fredrick Diggle Security Advisory Application: Sort Versions: 5.1.2600.0 verified to be vulnerable Platforms: Microsoft Windows (All Versions) Bugs: Format String Vulnerability Severity: Quite High Date: 17 Jan 2008 Credit: Fredrick Diggle ####################################################################### 1) Introduction 2) Bugs 3) Proof of Concept 4) Fix ####################################################################### =============== 1) Introduction =============== Fredrick Diggle Security Services is probably the best application security researchers on the scene this month. They have identified several hundred thousand vulnerabilities this week for which Priv8 0dayz have been developed. Fredrick Diggle Security Team periodically releases several of these vulnerabilities to the community at large (Pre Vendor Release!!!!). Fred Diggle would like to ensure that you understand this is 0DAY!!!. The vendors are completely unaware of this vulnerabilities. ####################################################################### ======= 2) Bug ======= Sort is a utility which is built into all current versions of Microsoft Windows. Sort.exe contains a highly exploitable format string vulnerability in the Filename command line parameter. The following dump shows the vulnerability in the sort.exe code: .text:0100128F lea eax, [ebp+in_str] ; input string .text:01001295 push eax ; format param .text:01001296 mov eax, ds:_iob .text:0100129B add eax, 40h .text:0100129E push eax ; output .text:0100129F call ds:fprintf ; KABLAM! The following output shows a manafestation of this vulnerability: C:\>sort AAAA%x.%x.%x.%x AAAA7c812f39.0.0.41414141The system cannot find the file specified. This vulnerability can be trivially exploited to execute arbitrary code on the computer machine. ####################################################################### ======= 3) Proof of Concept ======= The following command line will use sort.exe to execute the windows calculator. C:\>sort CALC.EXE%x%x%x%n | calc ####################################################################### ====== 4) Fix ====== Sort should be rewritten to use a third argument to fprintf. The second argument should be a format string similar to "%s" instead of the input string. ####################################################################### _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 17)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format StringVulnerability Larry Seltzer (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability reepex (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)