Full Disclosure mailing list archives
Re: [FDSA] Sort - Critical Format String Vulnerability
From: reepex <reepex () gmail com>
Date: Fri, 18 Jan 2008 11:39:10 -0600
LOL you are an idiot could you please google format string 101, read the printf man page, and leave security forever On Jan 18, 2008 1:45 AM, Tonnerre Lombard <tonnerre.lombard () sygroup ch> wrote:
Salut, Fredrick, On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle" <fdiggle () gmail com> wrote:The following output shows a manafestation of this vulnerability: C:\>sort AAAA%x.%x.%x.%x AAAA7c812f39.0.0.41414141The system cannot find the file specified.This is actually confirmed on Windows 2000 and XP.This vulnerability can be trivially exploited to execute arbitrary code on the computer machine.There I don't agree however, it is a simple memory reading vulnerability.The following command line will use sort.exe to execute the windows calculator. C:\>sort CALC.EXE%x%x%x%n | calcThat's not very surprising since you pipe into the calculator so it is spawned by the shell.Severity: Quite HighThere I don't agree. In theory, there should not be anything important in the memory of the sort process which is not already known to the user executing it anyway. It is clearly a bug though, and wants to be fixed. So congratulations to a working, though overdramatizised, discovered format string vulnerability. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 17)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format StringVulnerability Larry Seltzer (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability reepex (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)