Full Disclosure mailing list archives
Re: [FDSA] Sort - Critical Format StringVulnerability
From: "Larry Seltzer" <Larry () larryseltzer com>
Date: Fri, 18 Jan 2008 09:30:48 -0500
This vulnerability allows for arbitrary command execution and is really quite severe.
So the following proof of concept causes the Windows Calculator to be executed? C:\>calc Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Fredrick Diggle Sent: Friday, January 18, 2008 9:06 AM To: Tonnerre Lombard Cc: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] [FDSA] Sort - Critical Format StringVulnerability Fredrick Diggle apologizes, he always forgets that exploitation is IMPOSSIBLE if there is no how-to in phrack. Racing your own buffer is hard Lombard so he feels your pain :( Also how dare you accuse Diggle Sec of releasing fake vulnerabilities. Continue down that train of thought and you are likely to find yourself in a lawsuit sir. Also we noted your comment about pipes and performed further analysis. What we discovered was shocking! You are indeed correct that the published proof of concept inadvertently exploits a previously unpublished vulnerability it the windows command line utility. This vulnerability allows for arbitrary command execution and is really quite severe. We will be happy to credit you with its discovery. On Jan 18, 2008 1:45 AM, Tonnerre Lombard <tonnerre.lombard () sygroup ch> wrote:
Salut, Fredrick, On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle" <fdiggle () gmail com> wrote:The following output shows a manafestation of this vulnerability: C:\>sort AAAA%x.%x.%x.%x AAAA7c812f39.0.0.41414141The system cannot find the file specified.This is actually confirmed on Windows 2000 and XP.This vulnerability can be trivially exploited to execute arbitrary code on the computer machine.There I don't agree however, it is a simple memory reading vulnerability.The following command line will use sort.exe to execute the windows calculator. C:\>sort CALC.EXE%x%x%x%n | calcThat's not very surprising since you pipe into the calculator so it is spawned by the shell.Severity: Quite HighThere I don't agree. In theory, there should not be anything important in the memory of the sort process which is not already known to the user executing it anyway. It is clearly a bug though, and wants to be fixed. So congratulations to a working, though overdramatizised, discovered format string vulnerability. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 17)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format StringVulnerability Larry Seltzer (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability reepex (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Fredrick Diggle (Jan 18)
- Re: [FDSA] Sort - Critical Format String Vulnerability Tonnerre Lombard (Jan 18)