Bugtraq mailing list archives
Re: ImmuniX OS Security Alert: StackGuard 1.21 Released
From: core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)
Date: Wed, 10 Nov 1999 15:20:19 -0300
Crispin Cowan wrote: Consider this vulnerable code: foo(char * arg) { char * p = arg; // a vulnerable pointer char a[25]; // the buffer that makes the pointer vulnerable gets(a); // using gets() makes you vulnerable gets(p); // this is the good part } In attacking this code, the attacker first overflows the buffer a[] with a goal of changing the value of the char * p pointer. Specifically, the attacker can cause the p pointer to point anywhere in memory, but especially at a return address record in an activation record. When the program then takes input and stores it where p points, the input data is stored where the attacker said to store it. I think that having this kind of overflow available, StackWard is still vulnerable to a little smarter attack. You may think that this code example is too tricky, but there was a buffer overflow in bind's inverse query (http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This makes me remember of some code I wrote to exploit this for Sparcs, as it was just one call deep, it was imposible to overwrite the return address, so, by using a memcpy() to a pointer I could overwrite (like that one in the example code) I overwrited part of the libc in memory, lets say printf, so when the program called printf() after the second memcpy(), instead of calling the original printf() it called my code: Here you have an exploit that can be used still if you have StackWard. Am I wrong? Gerardo Richarte -- Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 09)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Iván Arce (Nov 10)
- Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 11)
- Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released Crispin Cowan (Nov 13)