[Full-disclosure] [FDSA] Sort - Critical Format String Vulnerability
joey.mengele at hushmail.com
Fri Jan 18 13:56:00 GMT 2008
Dear Lombard Retard,
Excellent analysis, except it is completely wrong LOLOLOLOL.
"Gratitude is a sickness suffered by dogs." - Gadi Evron
On Fri, 18 Jan 2008 02:45:41 -0500 Tonnerre Lombard
<tonnerre.lombard at sygroup.ch> wrote:
>On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
><fdiggle at gmail.com> wrote:
>> The following output shows a manafestation of this
>> C:\>sort AAAA%x.%x.%x.%x
>> AAAA7c812f22.214.171.124414141The system cannot find the file
>This is actually confirmed on Windows 2000 and XP.
>> This vulnerability can be trivially exploited to execute
>> code on the computer machine.
>There I don't agree however, it is a simple memory reading
>> The following command line will use sort.exe to execute the
>> C:\>sort CALC.EXE%x%x%x%n | calc
>That's not very surprising since you pipe into the calculator so
>spawned by the shell.
>> Severity: Quite High
>There I don't agree. In theory, there should not be anything
>in the memory of the sort process which is not already known to
>user executing it anyway. It is clearly a bug though, and wants to
>fixed. So congratulations to a working, though overdramatizised,
>discovered format string vulnerability.
>Tel:+41 61 333 80 33 Güterstrasse 86
>Fax:+41 61 383 14 67 4053 Basel
You'll be blown away. Click now for a high performance snow blower!
>Web:www.sygroup.ch tonnerre.lombard at sygroup.ch
Full-Disclosure is hosted and sponsored by Secunia.