Vulnerability Development mailing list archives
Formatting bugs (was BitchX /ignore bug)
From: kotz () FLASH NET (Kotz)
Date: Tue, 4 Jul 2000 23:03:04 -0500
lamagra wrote a very good (if short) paper on this, you can find it on packetstorm and it was also in a bugtraq post about a week ago. I believe it was called format_bugs.txt or something to that effect. Anyway, it IS possible to exploit this in a non-DoS way. lamagra did it with his proftp exploit. However, some conditions have to be met first. Mainly that there be user defined data on the stack. The idea is to use %n (which writes the number of bytes that have been printed to whatever is next on the stack) to overwrite an address (the address of your string, which would be a pointer to something important and worth overwriting). In the proftp exploit I mentioned earlier, he used %n to change the saved uid to 0 and then corrupted the anonymous configuration so write access was enabled, which of course allows creating a backdoor. Anyway, the point is, you don't have to use shellcode, but you do have to get lucky. I definitely recommend reading the stuff lamagra has written about these kinds of bugs (the ftpd: the advisory version thread on bugtraq is good too.) cause I am certainly no expert. Cheers, Robert
Current thread:
- Re: Maximum Linux Security (d/l), (continued)
- Re: Maximum Linux Security (d/l) Korhan Gurler (Jul 04)
- RES: Maximum Linux Security (d/l) Guilherme Mesquita (Jul 04)
- Re: RES: Maximum Linux Security (d/l) Richard Rager (Jul 04)
- Any Critical Path N-Plex vulnerabilities ? Juan M. Courcoul (Jul 05)
- default passwords...partII Roelof Temmingh (Jul 04)
- Re: default passwords...partII Daniel SALAGEAN (Jul 04)
- Re: default passwords...partII Joe Jenkins (Jul 05)
- Re: default passwords...partII Daniel SALAGEAN (Jul 05)
- Re: default passwords...partII CouNT (Jul 06)
- Re: default passwords...partII Max Vision (Jul 04)
- Formatting bugs (was BitchX /ignore bug) Kotz (Jul 04)
- Re: Maximum Linux Security (d/l) Renato Murilo Langona (Jul 04)
- BitchX /ignore bug Rick Jansen (Jul 04)
- Re: BitchX /ignore bug Blue Boar (Jul 04)
- Re: BitchX /ignore bug Ron DuFresne (Jul 05)
- Re: BitchX /ignore bug nohican () MARCELLA NIETS ORG (Jul 05)
- Re: BitchX /ignore bug Steve Mosher (Jul 05)
- Re: BitchX /ignore bug Ryan Yagatich (Jul 05)
- Re: BitchX /ignore bug Firstname Lastname (Jul 04)
- Re: Maximum Linux Security (d/l) rompa (Jul 10)
- Re: Default passwords er (Jul 04)