Home -
Security -
Utility -
Notepad -
Contact us
AUTHOR
Komrade
DATE
08/10/2004
PRODUCT
Windows XP
Tested on Windows XP Service Pack 2, prior versions should have the same bugs.
DETAILS
Here is a list of some Windows XP utilities that are vulnerable to local buffer overlows and format string bugs.
These programming errors, alone, are not security vulnerabilities (you need local access and you don't gain more privilege),
but they could became serious security issues if someone has the possibility to remotely start a program with at least a parameter (what happens with
the "shell:" protocol security issue in the Mozilla browser prior to version 1.7.3, that permits to remotely execute a program and pass to it parameters).
These informations have been disclosed to inform you that if a new vulnerability will be discovered which allows remote execution of programs (passing parameters), all
Windows XP operating system will be affected by several remote buffer overflows and format string vulnerabilities allowing remote code execution.
Buffer Overlow in immc.exe
POC
c:\> immc.exe aaaaaaaaaa(285 'a' characters)
Buffer Overlow in eventvwr.exe (UNICODE)
POC
c:\> eventvwr.exe aaaaaaaaaa(848 'a' characters)
Buffer Overlow in netsetup.exe
POC
c:\> netsetup.exe aaaaaaaaaa(285 'a' characters)
Buffer Overlow in mrinfo.exe
POC
c:\> mrinfo.exe aaaaaaaaaa(71 'a' characters)
Format String in sort.exe
POC
c:\> sort.exe %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
SCAN TOOL
Download XpLocalScan.exe
This tool scans your pc, checking if it is affected by one of this local bugs.
This tool only makes a system() call, starting the vulnerable programs with the opportune parameters. (view source code)