core.lists.exploit-devCORE-SDI.COM

• Next message: Luis Pinto: "Re: default password list (3Com switches)"
• Previous message: Gerardo Richarte: "Re: Default passwords using Cisco ConfigMaker"
• In reply to: Thomas Dullien: "Blue Boars question..."
• Next in thread: Thomas Dullien: "Re: Blue Boars question..."
• Reply: Gerardo Richarte: "Re: Blue Boars question..."
• Reply: Thomas Dullien: "Re: Blue Boars question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thomas Dullien wrote:
>
> If you recap what we can do, you'll find out that most format strings we
> supply could just pop more stuff off the stack and thus crash the
> application.

        I'm not so sure about this...
        If you are using C calling convention (as almost everybody here is)
the caller is responsible for restoring the stack after the call, not the
callee.
        In fact, this line of code will compile/link/and work just fine:

        printf("%p%p%p%p%p%p%p%p%p%p%p");

        it will print stack's contents, but not crash, because the caller
exactly knows (: that it pushed just 1 argument, so it will pop only 1 arg.
        however, it is true that you can, almost certainly, crash a program
by changing a format string, just use a lot of '%s' and if you hit a
memory pointer not currently mapped, the formatting function will collapse.

> But if you look at the (v/s/n)printf specifications you'll notice one
> certain format parameter: "%n"...
>
> "%n" will write the number of bytes written so far into the memory location
> pointed to by the corresponding variable on the stack.

         I would like to bring something into attention here:

        the n version of this functions will write not the " numbers of bytes
written so far..." as you (and man pages) say, but the number of bytes that
whould have been writen so far IF THERE WAS SPACE FOR IT... meaning:

        snprintf(buf,1,"%.10000d%d",&anInt)

        will write 10000 in anInt, even when buf's size is said to be 1

        I think this was a decision taken so moving to 'n functions' is
a little easier: %n is filled with the same values whether you are using
a 'n function' or a normal function.

        I would vote for not calling this kind of bugs 'buffer overflows' or
so, cause there is no need to overflow the buffers to exploit this, I'll use
"input validation error", as CERT and many more do, until somebody finds a
better name for it...

        richie

--- For a personal reply use geracore-sdi.com

• Next message: Luis Pinto: "Re: default password list (3Com switches)"
• Previous message: Gerardo Richarte: "Re: Default passwords using Cisco ConfigMaker"
• In reply to: Thomas Dullien: "Blue Boars question..."
• Next in thread: Thomas Dullien: "Re: Blue Boars question..."
• Reply: Gerardo Richarte: "Re: Blue Boars question..."
• Reply: Thomas Dullien: "Re: Blue Boars question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]