Vulnerability Development mailing list archives
Re: Windows XP multiple local buffer overflows and format string bugs
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Mon, 25 Oct 2004 19:52:23 +0200 (CEST)
Hi guys, little come back after a moving. I don't remember to have seen these details, sorry if i'm wrong.
You obviously haven't read the lists then: http://seclists.org/lists/bugtraq/2004/Oct/0045.html I wrote about windows local BoF and formatstrings a few weeks back and included a simple command to test for these. Also, I've tried to exploit a few and it's pretty hard to actually do that for a very simple program like sort. Cheers, SkyLined
AUTHOR Komrade DATE 08/10/2004 PRODUCT Windows XP Tested on Windows XP Service Pack 2, prior versions should have the same bugs. DETAILS Here is a list of some Windows XP utilities that are vulnerable to local buffer overlows and format string bugs. These programming errors, alone, are not security vulnerabilities (you need local access and you don't gain more privilege), but they could became serious security issues if someone has the possibility to remotely start a program with at least a parameter (what happens with the "shell:" protocol security issue in the Mozilla browser prior to version 1.7.3, that permits to remotely execute a program and pass to it parameters). These informations have been disclosed to inform you that if a new vulnerability will be discovered which allows remote execution of programs (passing parameters), all Windows XP operating system will be affected by several remote buffer overflows and format string vulnerabilities allowing remote code execution. Buffer Overlow in immc.exe POC c:\> immc.exe aaaaaaaaaa(285 'a' characters) Buffer Overlow in eventvwr.exe (UNICODE) POC c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters) Buffer Overlow in netsetup.exe POC c:\> netsetup.exe aaaaaaaaaa(285 'a' characters) Buffer Overlow in mrinfo.exe POC c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters) Format String in sort.exe POC c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n SCAN TOOL This tool scans your pc, checking if it is affected by one of this local bugs. This tool only makes a system() call, starting the vulnerable programs with the opportune parameters. http://unsecure.altervista.org/security/xplocalscan.c Regards, Jerome -------------null C est le moment de dynamiser votre boîte mail en découvrant les offres CaraMail Premium - http://www.caramailmax.com
Current thread:
- Windows XP multiple local buffer overflows and format string bugs Jérôme ATHIAS (Oct 25)
- Re: Windows XP multiple local buffer overflows and format string bugs Berend-Jan Wever (Oct 25)