Dear Lombard Retard, Excellent analysis, except it is completely wrong LOLOLOLOL.
Try %n. J "Gratitude is a sickness suffered by dogs." - Gadi Evron On Fri, 18 Jan 2008 02:45:41 -0500 Tonnerre Lombard <[EMAIL PROTECTED]> wrote: >Salut, Fredrick, > >On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle" ><[EMAIL PROTECTED]> wrote: >> The following output shows a manafestation of this >vulnerability: >> >> C:\>sort AAAA%x.%x.%x.%x >> AAAA7c812f39.0.0.41414141The system cannot find the file >specified. > >This is actually confirmed on Windows 2000 and XP. > >> This vulnerability can be trivially exploited to execute >arbitrary >> code on the computer machine. > >There I don't agree however, it is a simple memory reading >vulnerability. > >> The following command line will use sort.exe to execute the >windows >> calculator. >> >> C:\>sort CALC.EXE%x%x%x%n | calc > >That's not very surprising since you pipe into the calculator so >it is >spawned by the shell. > >> Severity: Quite High > >There I don't agree. In theory, there should not be anything >important >in the memory of the sort process which is not already known to >the >user executing it anyway. It is clearly a bug though, and wants to >be >fixed. So congratulations to a working, though overdramatizised, >discovered format string vulnerability. > > Tonnerre >-- >SyGroup GmbH >Tonnerre Lombard > >Solutions Systematiques >Tel:+41 61 333 80 33 Güterstrasse 86 >Fax:+41 61 383 14 67 4053 Basel -- You'll be blown away. Click now for a high performance snow blower! http://tagline.hushmail.com/fc/Ioyw6h4dZvl6gf9aEYJnZSNwcXWnkbXnADvQOMgzZEtqQhjoqC2Fpm/ >Web:www.sygroup.ch [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
