|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Windows XP multiple local buffer overflows and format string bugs
From: Jérôme ATHIAS (jerome.athias
caramail.com)
Date: Sat Oct 23 2004 - 02:47:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi guys, little come back after a moving.
I don't remember to have seen these details, sorry if i'm wrong.
AUTHOR
Komrade
DATE
08/10/2004
PRODUCT
Windows XP
Tested on Windows XP Service Pack 2, prior versions should have the same bugs.
DETAILS
Here is a list of some Windows XP utilities that are vulnerable to local buffer overlows and format string bugs.
These programming errors, alone, are not security vulnerabilities (you need local access and you don't gain more privilege), but they could became serious security issues if someone has the possibility to remotely start a program with at least a parameter (what happens with the "shell:" protocol security issue in the Mozilla browser prior to version 1.7.3, that permits to remotely execute a program and pass to it parameters).
These informations have been disclosed to inform you that if a new vulnerability will be discovered which allows remote execution of programs (passing parameters), all Windows XP operating system will be affected by several remote buffer overflows and format string vulnerabilities allowing remote code execution.
Buffer Overlow in immc.exe
POC
c:\> immc.exe aaaaaaaaaa(285 'a' characters)
Buffer Overlow in eventvwr.exe (UNICODE)
POC
c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters)
Buffer Overlow in netsetup.exe
POC
c:\> netsetup.exe aaaaaaaaaa(285 'a' characters)
Buffer Overlow in mrinfo.exe
POC
c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters)
Format String in sort.exe
POC
c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
SCAN TOOL
This tool scans your pc, checking if it is affected by one of this local bugs.
This tool only makes a system() call, starting the vulnerable programs with the opportune parameters.
http://unsecure.altervista.org/security/xplocalscan.c
Regards,
Jerome
-------------null
C est le moment de dynamiser votre boîte mail en découvrant les offres CaraMail Premium - http://www.caramailmax.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]