lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Jan 2008 08:05:37 -0600
From: "Fredrick Diggle" <fdiggle@...il.com>
To: "Tonnerre Lombard" <tonnerre.lombard@...roup.ch>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [FDSA] Sort - Critical Format String
	Vulnerability

Fredrick Diggle apologizes, he always forgets that exploitation is
IMPOSSIBLE if there is no how-to in phrack. Racing your own buffer is
hard Lombard so he feels your pain :(

Also how dare you accuse Diggle Sec of releasing fake vulnerabilities.
Continue down that train of thought and you are likely to find
yourself in a lawsuit sir.

Also we noted your comment about pipes and performed further analysis.
What we discovered was shocking! You are indeed correct that the
published proof of concept inadvertently exploits a previously
unpublished vulnerability it the windows command line utility. This
vulnerability allows for arbitrary command execution and is really
quite severe. We will be happy to credit you with its discovery.

On Jan 18, 2008 1:45 AM, Tonnerre Lombard <tonnerre.lombard@...roup.ch> wrote:
> Salut, Fredrick,
>
> On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
> <fdiggle@...il.com> wrote:
> > The following output shows a manafestation of this vulnerability:
> >
> > C:\>sort AAAA%x.%x.%x.%x
> > AAAA7c812f39.0.0.41414141The system cannot find the file specified.
>
> This is actually confirmed on Windows 2000 and XP.
>
> > This vulnerability can be trivially exploited to execute arbitrary
> > code on the computer machine.
>
> There I don't agree however, it is a simple memory reading
> vulnerability.
>
> > The following command line will use sort.exe to execute the windows
> > calculator.
> >
> > C:\>sort CALC.EXE%x%x%x%n | calc
>
> That's not very surprising since you pipe into the calculator so it is
> spawned by the shell.
>
> > Severity: Quite High
>
> There I don't agree. In theory, there should not be anything important
> in the memory of the sort process which is not already known to the
> user executing it anyway. It is clearly a bug though, and wants to be
> fixed. So congratulations to a working, though overdramatizised,
> discovered format string vulnerability.
>
>                                 Tonnerre
> --
> SyGroup GmbH
> Tonnerre Lombard
>
> Solutions Systematiques
> Tel:+41 61 333 80 33            Güterstrasse 86
> Fax:+41 61 383 14 67            4053 Basel
> Web:www.sygroup.ch              tonnerre.lombard@...roup.ch
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ