LOL you are an idiot<br><br>could you please google format string 101, read the printf man page, and leave security forever<br><br><div class="gmail_quote">On Jan 18, 2008 1:45 AM, Tonnerre Lombard <<a href="mailto:tonnerre.lombard@sygroup.ch">
tonnerre.lombard@sygroup.ch</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Salut, Fredrick,<br><div class="Ih2E3d"><br>On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
<br><<a href="mailto:fdiggle@gmail.com">fdiggle@gmail.com</a>> wrote:<br>> The following output shows a manafestation of this vulnerability:<br>><br>> C:\>sort AAAA%x.%x.%x.%x<br>> AAAA7c812f39.0.0.41414141The
system cannot find the file specified.<br><br></div>This is actually confirmed on Windows 2000 and XP.<br><div class="Ih2E3d"><br>> This vulnerability can be trivially exploited to execute arbitrary<br>> code on the computer machine.
<br><br></div>There I don't agree however, it is a simple memory reading<br>vulnerability.<br><div class="Ih2E3d"><br>> The following command line will use sort.exe to execute the windows<br>> calculator.<br>>
<br>> C:\>sort CALC.EXE%x%x%x%n | calc<br><br></div>That's not very surprising since you pipe into the calculator so it is<br>spawned by the shell.<br><br>> Severity: Quite High<br><br>There I don't agree. In theory, there should not be anything important
<br>in the memory of the sort process which is not already known to the<br>user executing it anyway. It is clearly a bug though, and wants to be<br>fixed. So congratulations to a working, though overdramatizised,<br>discovered format string vulnerability.
<br><br> Tonnerre<br><font color="#888888">--<br>SyGroup GmbH<br>Tonnerre Lombard<br><br>Solutions Systematiques<br>Tel:+41 61 333 80 33 Güterstrasse 86<br>Fax:+41 61 383 14 67 4053 Basel
<br>Web:<a href="http://www.sygroup.ch" target="_blank">www.sygroup.ch</a> <a href="mailto:tonnerre.lombard@sygroup.ch">tonnerre.lombard@sygroup.ch</a><br></font><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>