Re: [Full-disclosure] [FDSA] Sort - Critical Format String Vulnerability

Dear Lombard Retard,

Excellent analysis, except it is completely wrong LOLOLOLOL.

Try %n.

J

"Gratitude is a sickness suffered by dogs." - Gadi Evron

On Fri, 18 Jan 2008 02:45:41 -0500 Tonnerre Lombard
<tonnerre.lombard@xxxxxxxxxx> wrote:
Salut, Fredrick,

On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
<fdiggle@xxxxxxxxx> wrote:
The following output shows a manafestation of this
vulnerability:

C:\>sort AAAA%x.%x.%x.%x
AAAA7c812f39.0.0.41414141The system cannot find the file
specified.

This is actually confirmed on Windows 2000 and XP.

This vulnerability can be trivially exploited to execute
arbitrary
code on the computer machine.

There I don't agree however, it is a simple memory reading
vulnerability.

The following command line will use sort.exe to execute the
windows
calculator.

C:\>sort CALC.EXE%x%x%x%n | calc

That's not very surprising since you pipe into the calculator so
it is
spawned by the shell.

Severity: Quite High

There I don't agree. In theory, there should not be anything
important
in the memory of the sort process which is not already known to
the
user executing it anyway. It is clearly a bug though, and wants to
be
fixed. So congratulations to a working, though overdramatizised,
discovered format string vulnerability.

Tonnerre
--
SyGroup GmbH
Tonnerre Lombard

Solutions Systematiques
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel

--
You'll be blown away. Click now for a high performance snow blower!
http://tagline.hushmail.com/fc/Ioyw6h4dZvl6gf9aEYJnZSNwcXWnkbXnADvQOMgzZEtqQhjoqC2Fpm/
Web:www.sygroup.ch tonnerre.lombard@xxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading