
	Where results make sense

Topic: Format string bug

Related Topics

Pax

	Format string attack - Wikipedia, the free encyclopedia
		Format string attacks are a new class of vulnerabilities discovered in June of 2000 by Przemysław Frasunek and tf8, previously thought to be harmless.
		Format string attacks can be used to crash a program or to execute harmful code.
		Format bugs arise because C's argument passing conventions are type-unsafe.
	en.wikipedia.org /wiki/Format_string_bug (362 words)

	PaX - LearnThis.Info Enclyclopedia (Site not responding. Last check: 2007-10-08)
		For example, a system in which 'well-known' default accounts retain their default names and passwords (ie, is misconfigured and mal-administered) will be open to any attacker with access and a little perspective, and cannot be protected from them.
		PaX also cannot block some format string bug based attacks.
		PaX prevents or blocks attacks which exploit memory corruption bugs, such as those leading to shellcode and ret2libc attacks.
	encyclopedia.learnthis.info /p/pa/pax_2.html (3241 words)

	BADC0DED User Supplied Format String Bug (Site not responding. Last check: 2007-10-08)
		Format Bugs: What are they, Where did they come from,...How to exploit them
		Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC
		Read this, printf implementation bugs* are other way to exploit usfs vulnerability.
	julianor.tripod.com /usfs.html (76 words)

	Diary for metaur
		I have found a format string bug in GNU nano, I have patched pavuk some more, and I have posted a little text to the Debian-audit list about when format string bugs also become buffer overflows because of bad length assumptions in sprintf() calls.
		I have reported a bunch of potential buffer overflows and format string bugs in Mutt, a format string bug in Mew, some buffer overflows in ARC, and some buffer overflows in rockdodger.
		This bug could be used for getting shell access when you only have FTP access, sending evil signals here and there, or even running a rogue server that will make the httpd child you cracked send out the wrong content for http://www.bautaisp.com/.
	www.advogato.org /person/metaur/diary.html?start=26 (2659 words)

	SecurityTracker.com Archives - smtp.proxy Format String Bug Lets Remote Users Execute Arbitrary Code
		The bug can be exploited by sending a message with an embedded format string in either the client hostname or the message-id, the userspecified message-id string is obviously the most convenient to use though.
		This means that even though it is a blind format string attack (the output is not written back to the client) it can still be exploited reliably by determining exploit parameters step by step.
		Address to the shellcode Determining the offset to the format string can be done by embedding a known non-writable address in the message-id and attempting to write into it with %*n at different stack offsets.
	www.securitytracker.com /alerts/2004/Jun/1010461.html (1121 words)

	[No title] (Site not responding. Last check: 2007-10-08)
		Date: 29 Sep 2003 Hey, some weeks ago I found a format string bug in the Half-Life client.
		This means that a malicious server can send formatted strings to each client.
		Unfortunately, I haven't too much experience with the exploitation of format string bugs so I can't be sure about the "real" exploitation of this problem to execute remote code on client.
	aluigi.altervista.org /adv/hlclientfs-adv.txt (152 words)

	Neohapsis Archives - Bugtraq - Stunnel: Format String Bug update - From bugtraq
		There are format string bugs in each of the smtp, pop, and nntp
		There are no format string bugs in Stunnel when run as an SSL
		I found a format string bug in stunnel.
	archives.neohapsis.com /archives/bugtraq/2002-01/0021.html (603 words)

	Advisories : lpr has a format string security bug
		It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print.
		Problem description: The old BSD-based lpr which we shipped with Red Hat Linux 5.x and 6.x has a recently discovered format string bug in its calls to the syslog facility.
		While we are not aware of any exploits for this issue, it might be possible for a user to gain local root access.
	www.secureroot.com /security/advisories/9719823538.html (586 words)

	[No title] (Site not responding. Last check: 2007-10-08)
		####################################################################### ====== 2) Bug ====== The game is affected by an format string bug that can be exploited by an attacker to execute malicious code through the sending of a malformed message.
		The attacker cannot sends the malformed message directly from his game because he will exploit his same machine, so is suggested the usage of a program that modifies the packets on the fly (like an UDP proxy for example).
		The vulnerability has been reported to the developers a couple of months ago but they were not able to patch the bug, I recontacted them again recently but have received no reply.
	aluigi.altervista.org /adv/xprallyfs-adv.txt (151 words)

	LWN.net weekly edition
		A format string bug in the authentication API for mail clients and servers may be remotely exploitable.
		Format string and buffer overflow problems in pmake may lead to a local root compromise when pmake is installed suid root.
		If we find bugs in "bug", their fixes have to be propogated over to mutt's tool.
	lwn.net /2001/1129/bigpage.php3 (9938 words)

	Neohapsis Archives - Bugtraq - format string bug in muh - From mux
		Neohapsis Archives - Bugtraq - format string bug in muh - From mux
		format string bug which can be used to make muh crash and probably to gain the
		the third parameter is a format string and so, user data is supplied to the
	archives.neohapsis.com /archives/bugtraq/2000-09/0067.html (327 words)

	[Full-Disclosure] ez-ipupdate format string bug (Site not responding. Last check: 2007-10-08)
		* ez-ipupdate format string bug * "ez-ipupdate is a quite complete client for the dynamic DNS service offered by http://www.ez-ip.net/ and many more.
		All services using GNUDip are also supported." (from packages.debian.org) I have found a format string bug in ez-ipupdate.
		The format string bug allows a malicious remote server to execute arbitrary code on the machine running ez-ipupdate, if and only if daemon mode is on (very common) and certain service types are used.
	lists.grok.org.uk /pipermail/full-disclosure/2004-November/028590.html (252 words)

	Convert a Wikipedia encyclopedia to TomeRaider 3 format (Site not responding. Last check: 2007-10-08)
		You can choose to include images, in case you want to put the TomeRaider database on your notebook, or when your PDA features a huge memory card.
		TomeRaider bug fixing and optimization will continue for a while, so please check on each run..
		This script version recognizes dumps both in old and new format.
	members.chello.nl /epzachte/Wikipedia/ProcedureTR3.html (4182 words)

	[Full-disclosure] Evolution multiple remote format string bugs
		These bugs lead to crashes or the execution of arbitrary assembly language code.
		Details: 1) The first format string bug occurs when viewing the full vCard data attached to an e-mail message.
		He or she could then send out e-mail messages with malicious vCards to many e-mail accounts at the organisation, in the hope that some of the recipients will view the full vCard data sooner or later, thus exposing the organisation to this format string bug.
	lists.grok.org.uk /pipermail/full-disclosure/2005-August/035922.html (530 words)

	[No title] (Site not responding. Last check: 2007-10-08)
		-------------------------------------------------------------------- Title: Foundstone Fscan Format String Bug BUG-ID: 2002014 Released: 19th Apr 2002 -------------------------------------------------------------------- Problem: ======== A flaw in Foundstone Fscan could result in a malicious service banner overwriting the stack and the EIP on the PC performing the scanning.
		More Information: ================= Guardent has published a small whitepaper on Format String Attacks: http://www.guardent.com/docs/FormatString.PDF Vendor URL: =========== You can visit the vendors webpage here: http://www.foundstone.com Vendor response: ================ The vendor was contacted on the 14th of April, 2002.
		The vendor identified the problem as a format string bug.
	packetstorm.linuxsecurity.com /advisories/misc/fscan.txt (332 words)

	[No title] (Site not responding. Last check: 2007-10-08)
		In Last version (3.8.1) there are still lots of bugs, that could be used by user to execute arbitrary codes with root privileges.
		In load_tt_part() our string will first be copied in "globals.tables_filename", that will overflow the static buffer idbuff[256].
		This bug can be used to overwrite the eip, and execute arbitrary code.
	www.packetstormsecurity.nl /0311-advisories/outsiders-terminatorX-001 (678 words)

	SecurityTracker.com Archives - ISDN4Linux Utils 'ipppd' Server Format String Bug May Let Local Users Gain Root ...
		GOBBLES issued an exploit for a format string vulnerability in 'ipppd'.
		By providing a specially crafted string, a local user can cause arbitrary code to be executed with elevated privileges.
		Finding format bugs is a difficult task, and should be left * to the professionals.
	www.securitytracker.com /alerts/2002/Aug/1005012.html (787 words)

	ImageMagick format string bug - Red Hat - Xatrix Security
		A format string bug was found in the way ImageMagick handles filenames.
		An attacker could execute arbitrary code on a victim's machine if they were able to trick the victim into opening a file with a specially crafted name.
		Additionally, a bug was fixed which caused ImageMagick(TM) to occasionally segfault when writing TIFF images to standard output.
	www.xatrix.org /advisory.php?s=5911 (320 words)

	Gentoo Linux Documentation -- Dillo: Format string vulnerability
		Dillo is vulnerable to a format string bug, which may result in the execution of arbitrary code.
		Gentoo Linux developer Tavis Ormandy found a format string bug in Dillo's handling of messages in a_Interface_msg().
		An attacker could craft a malicious web page which, when accessed using Dillo, would trigger the format string vulnerability and potentially execute arbitrary code with the rights of the user running Dillo.
	www.gentoo.org /security/en/glsa/glsa-200501-11.xml (120 words)

	CAN-2004-1006 (under review)
		Therefore, this candidate may be modified or even rejected in the future.
		Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CAN-2002-0702.
		Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.
	www.cve.mitre.org /cgi-bin/cvename.cgi?name=CAN-2004-1006 (133 words)

	Viruslist.com - Exploit
		The term exploit describes a program or a piece of code or even some data that is designed to take advantage of a bug or vulnerability in an application or operating system.
		Exploits are often named after the vulnerabilites they use to penetrate systems: buffer overflow, format string attacks, race condition, and cross-site scripting.
		As a result, security experts and virus writers are engaged in a never-ending race to find vulnerabilities first: the security community writes patches, while the computer underground writes exploits.
	www.viruslist.com /en/viruses/glossary?glossid=153603119 (117 words)

	[Debian-audit] Format string bug becomes buffer overflow, because of bad length assumption
		Next message: [Debian-audit] Format string bug becomes buffer overflow, because of bad length assumption
		A format string bug can also be a buffer overflow, in the special case where the program author uses sprintf() and thinks that the size of the destination is the same as the size of the source.
		This could be in the form of a strlen() check or a malloc() that allocates as much space for the destination as the source takes.
	shellcode.org /pipermail/debian-audit/2004-November/000047.html (272 words)

	Re: format string bug in muh
		Previous message: Maxime Henrion: "format string bug in muh"
		In reply to: Maxime Henrion: "format string bug in muh"
		On Sat, 9 Sep 2000, Maxime Henrion wrote: > The latest version, 2.05d (and probably other versions...) is > vulnerable to a format string bug which can be used to make muh crash > and probably to gain the privileges of the user running muh.
	www.cotse.com /mailing-lists/bugtraq/2000/Sep/0202.html (269 words)

	Gameguru Mania :: View topic - In-game format string in Judge Dredd vs. Death 1.01
		In-game format string in Judge Dredd vs. Death 1.01
		Dredd vs Death is a cool FPS game based on the homonym comic strip.
		The problem is a format string bug in the handling of the messages
	gameguru.box.sk /forum/viewtopic.php?t=1573 (200 words)

	[No title] (Site not responding. Last check: 2007-10-08)
		Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-3.txt Overview: - ---------- Sun Solaris in.talkd is vulnerable to a format string bug which can be exploited remotely.
		An attacker can request a talk session with a especially crafted luser field able to write memory and gain control of the flow of the in.talkd.
		NGSEC has developed an exploit for this vulnerability but we are not going to release it for obvious reasons (remote root compromise to a widely spread application).
	www.ngsec.com /docs/advisories/NGSEC-2002-3.txt (332 words)

	Gain a shell remotely : mod_ntlm overflow / format string bug
		Gain a shell remotely : mod_ntlm overflow / format string bug
		There is a buffer overflow as well as a format string issue in this server
		Please email me a vulnerability test announcement whenever a new test is added.
	www.securityspace.com /smysecure/catid.html?id=11552 (129 words)

	Perdition: Vanessa Logger 0.0.1 String Format Bug (Site not responding. Last check: 2007-10-08)
		First I would like to express great dismay that this was published on a public list (BugTraq) without prior consultation with the author (myself) or to my knowledge the maintainer of the FreeBSD port, Konstantinos Konstantinidis.
		There is a string format bug in vanessa_logger 0.0.1 which is what the post to BugTraq makes reference to.
		If these options are used then the potential risk from any exploits stemming from the string format bug in vanessa_logger are significantly reduced.
	www.vergenet.net /linux/perdition/string_format.shtml (195 words)

	format string bug in muh
		Moreover, muh stays connected when you are not, and can log any message you receive.
		The latest version, 2.05d (and probably other versions...) is vulnerable to a format string bug which can be used to make muh crash and probably to gain the privileges of the user running muh.
		Since I've not seen this in the bugtraq archive, I post it.
	www.cotse.com /mailing-lists/bugtraq/2000/Sep/0201.html (407 words)

	SecurityFocus
		Format string bug in EpicGames Unreal engine Mar 10 2004 04:30PM
		The problem is a format string bug in the Classes management.
		This bug was signaled to EpicGames EXACTLY the 2th September 2003
	www.securityfocus.com /archive/1/356904 (270 words)

	SecuriTeam.com ™ - OllyDbg Format String Bug
		There exists a format string bug in the code that handles Debugger Messages in OllyDbg.
		The Windows API is actually very debugger friendly and has many functions to interact with debuggers (most likely built for their own (safe) debugger WinDbg).
		One of these functions, OutputDebugString sends a string directly to the debugger for interpretation, which OllyDbg displays to the user via a status line along the bottom, lacks a format specifiers, which means the user supplied string is used as the format specifiers.
	www.securiteam.com /windowsntfocus/5ZP0N00DFE.html (310 words)

	Bug 321 - Format string for scalebars (Site not responding. Last check: 2007-10-08)
		Resolve bug, mark it as duplicate of bug #
		It would be nice to have a format string (e.g.
		I believe something similar already exists for grids so I would pattern it after that.
	mapserver.gis.umn.edu /bugs/show_bug.cgi?id=321 (56 words)

Try your search on: Qwika (all wikis)