Salut, Fredrick,
On Thu, 17 Jan 2008 12:05:13 -0600 "Fredrick Diggle"
<fdiggle@xxxxxxxxx> wrote:
> The following output shows a manafestation of this vulnerability:
>
> C:\>sort AAAA%x.%x.%x.%x
> AAAA7c812f39.0.0.41414141The system cannot find the file specified.
This is actually confirmed on Windows 2000 and XP.
> This vulnerability can be trivially exploited to execute arbitrary
> code on the computer machine.
There I don't agree however, it is a simple memory reading
vulnerability.
> The following command line will use sort.exe to execute the windows
> calculator.
>
> C:\>sort CALC.EXE%x%x%x%n | calc
That's not very surprising since you pipe into the calculator so it is
spawned by the shell.
> Severity: Quite High
There I don't agree. In theory, there should not be anything important
in the memory of the sort process which is not already known to the
user executing it anyway. It is clearly a bug though, and wants to be
fixed. So congratulations to a working, though overdramatizised,
discovered format string vulnerability.
Tonnerre
--
SyGroup GmbH
Tonnerre Lombard
Solutions Systematiques
Tel:+41 61 333 80 33 Güterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Web:www.sygroup.ch tonnerre.lombard@xxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/