lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 Jan 2008 12:05:13 -0600
From: "Fredrick Diggle" <fdiggle@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [FDSA] Sort - Critical Format String Vulnerability

#######################################################################

                             Fredrick Diggle Security Advisory

Application: Sort
Versions: 5.1.2600.0 verified to be vulnerable
Platforms: Microsoft Windows (All Versions)
Bugs: Format String Vulnerability
Severity: Quite High
Date: 17 Jan 2008
Credit: Fredrick Diggle

#######################################################################

1) Introduction
2) Bugs
3) Proof of Concept
4) Fix

#######################################################################

===============
1) Introduction
===============

Fredrick Diggle Security Services is probably the best application
security researchers on the scene this month. They have identified
several hundred thousand vulnerabilities this week for which Priv8
0dayz have been developed. Fredrick Diggle Security Team periodically
releases several of these vulnerabilities to the community at large
(Pre Vendor Release!!!!). Fred Diggle would like to ensure that you
understand this is 0DAY!!!. The vendors are completely unaware of this
vulnerabilities.

#######################################################################

=======
2) Bug
=======

Sort is a utility which is built into all current versions of
Microsoft Windows. Sort.exe contains a highly exploitable format
string vulnerability in the Filename command line parameter. The
following dump shows the vulnerability in the sort.exe code:

.text:0100128F                 lea     eax, [ebp+in_str]    ; input string
.text:01001295                 push    eax                      ; format param
.text:01001296                 mov     eax, ds:_iob
.text:0100129B                 add     eax, 40h
.text:0100129E                 push    eax                      ; output
.text:0100129F                 call    ds:fprintf                 ; KABLAM!

The following output shows a manafestation of this vulnerability:

C:\>sort AAAA%x.%x.%x.%x
AAAA7c812f39.0.0.41414141The system cannot find the file specified.

This vulnerability can be trivially exploited to execute arbitrary
code on the computer machine.

#######################################################################

=======
3) Proof of Concept
=======

The following command line will use sort.exe to execute the windows calculator.

C:\>sort CALC.EXE%x%x%x%n | calc

#######################################################################

======
4) Fix
======

Sort should be rewritten to use a third argument to fprintf. The
second argument should be a format string similar to "%s" instead of
the input string.

#######################################################################

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ