OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Format Bugs in Windows Code?
From: Bluefish (P.Magnusson) (11aGMX.NET)
Date: Wed Sep 13 2000 - 05:36:05 CDT

IMHO, this is an issue with similarities to doing secure popen, secure
cgi's etc etc. What we've seen among those softwares are that although at
first glance everything appears to be secure, but things really done
properly anyway.

Or to put into other words, sending %s%s%s%s%s%s will work with

  fgets(stdin,size,str);
  printf(str);

which should be easy to track down. But I'm betting a dollar or two that
we will find far less obvious misstakes, where it is much harder to find
the bugs. I mean, we could actually have something like:

  fgets(stdin,size,str);
  printf("%s",str);
  .
  .
  lots of lines later in a branch rarely taken:
  printf(str);

And so on - I gaurantee that there are more ways to write hard to find
bugs, especially if the source isn't available... Comments?

> > Fair enough. It does seem more difficult to detect a format bug in
> > binary code than to detect overflowable buffers. The "fuzz" approach
> > of barfing long strings at every available orifice detects
> > overflowable buffers, but you have to do something more deft to detect
> > format bugs.
>
> Is there any reason why using strings "polluted" with format tags should
> not work? Repeated %s's or %n's are probably the best choice because it
> is very likely a vulnerable program will go down in flames when it tries
> to interpret such a string.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team