| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080118135600.8E12A1A0039@mailserver8.hushmail.com> Date: Fri, 18 Jan 2008 08:56:00 -0500 From: "Joey Mengele" <joey.mengele@...hmail.com> To: <fdiggle@...il.com>,<tonnerre.lombard@...roup.ch> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [FDSA] Sort - Critical Format String Vulnerability Dear Lombard Retard, Excellent analysis, except it is completely wrong LOLOLOLOL. Try %n. J "Gratitude is a sickness suffered by dogs." - Gadi Evron On Fri, 18 Jan 2008 02:45:41 -0500 Tonnerre Lombard <tonnerre.lombard@...roup.ch> wrote: >Salut, Fredrick, > >On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle" ><fdiggle@...il.com> wrote: >> The following output shows a manafestation of this >vulnerability: >> >> C:\>sort AAAA%x.%x.%x.%x >> AAAA7c812f39.0.0.41414141The system cannot find the file >specified. > >This is actually confirmed on Windows 2000 and XP. > >> This vulnerability can be trivially exploited to execute >arbitrary >> code on the computer machine. > >There I don't agree however, it is a simple memory reading >vulnerability. > >> The following command line will use sort.exe to execute the >windows >> calculator. >> >> C:\>sort CALC.EXE%x%x%x%n | calc > >That's not very surprising since you pipe into the calculator so >it is >spawned by the shell. > >> Severity: Quite High > >There I don't agree. In theory, there should not be anything >important >in the memory of the sort process which is not already known to >the >user executing it anyway. It is clearly a bug though, and wants to >be >fixed. So congratulations to a working, though overdramatizised, >discovered format string vulnerability. > > Tonnerre >-- >SyGroup GmbH >Tonnerre Lombard > >Solutions Systematiques >Tel:+41 61 333 80 33 Güterstrasse 86 >Fax:+41 61 383 14 67 4053 Basel -- You'll be blown away. Click now for a high performance snow blower! http://tagline.hushmail.com/fc/Ioyw6h4dZvl6gf9aEYJnZSNwcXWnkbXnADvQOMgzZEtqQhjoqC2Fpm/ >Web:www.sygroup.ch tonnerre.lombard@...roup.ch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists