LOL you are an idiot could you please google format string 101, read the printf man page, and leave security forever
On Jan 18, 2008 1:45 AM, Tonnerre Lombard <[EMAIL PROTECTED]> wrote: > Salut, Fredrick, > > On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle" > <[EMAIL PROTECTED]> wrote: > > The following output shows a manafestation of this vulnerability: > > > > C:\>sort AAAA%x.%x.%x.%x > > AAAA7c812f39.0.0.41414141The system cannot find the file specified. > > This is actually confirmed on Windows 2000 and XP. > > > This vulnerability can be trivially exploited to execute arbitrary > > code on the computer machine. > > There I don't agree however, it is a simple memory reading > vulnerability. > > > The following command line will use sort.exe to execute the windows > > calculator. > > > > C:\>sort CALC.EXE%x%x%x%n | calc > > That's not very surprising since you pipe into the calculator so it is > spawned by the shell. > > > Severity: Quite High > > There I don't agree. In theory, there should not be anything important > in the memory of the sort process which is not already known to the > user executing it anyway. It is clearly a bug though, and wants to be > fixed. So congratulations to a working, though overdramatizised, > discovered format string vulnerability. > > Tonnerre > -- > SyGroup GmbH > Tonnerre Lombard > > Solutions Systematiques > Tel:+41 61 333 80 33 Güterstrasse 86 > Fax:+41 61 383 14 67 4053 Basel > Web:www.sygroup.ch [EMAIL PROTECTED] > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
