OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: format-string exploit under Wndows?
From: Bluefish (11aGMX.NET)
Date: Thu Jul 13 2000 - 07:37:14 CDT

> sprintf(errmsg, _("%s: Interrupt/Exception caugh "), prg);
> fprintf(stderr, errmsg);
> The important for me is fprintf() without proper format string.
> So is it possible to exploit that vulnerbility in fprintf() by putting
> some evil code to 'prg' ? Assuming it is less than 1024 because of buffer
> overflow in sprintf() :)
> Someone has tried something like this with his own Windows?
> Hints?

Under Unix, you don't want people to be able to write to a terminal
unfiltered because it can be used to send commands like "rm -rf /" through
ANSI features (or whatever terminal mode is in use)

For MS/PC-DOS, you were carefull NOT to load ANSI.SYS if you e.g. were
hosting a BBS. That was because "ANSI-Bombs", very similar to the unix
problems, could be sent then. "type ansibomb.txt" or "pkunzip
ansibomb.zip" could be enough to wipe out your entire BBS. But if you
simply didn't load ANSI.SYS, you were safe.

To the best of my knowledge, the same is true for Windows. If you don't
load ANSI support, you are safe. This should of course be verified before
trusting my words blindly ;) Anyone tried ansibombs against Windows9x or
NT?

On PS/2, ANSI is supported directly by the terminal. (you don't have to
load ANSI.SYS) I don't know if it's vulnerable though.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team