Bugtraq mailing list archives
Re: Buffer overflow/privilege escalation in MacOS X
From: Seth Arnold <sarnold () wirex com>
Date: Tue, 16 Dec 2003 09:39:48 -0800
On Mon, Dec 15, 2003 at 05:48:21PM -0500, Dave G. wrote:
The overflow occurs in main() and there is an unavoidable exit() at the end of the function. So while you can overwrite the return stack frame, the process will never use your new value.
Are you sure about this? exit(3) will perform cleanup functionality with at least stdio streams before calling exit(2). If FILE * are located in the same autovariable space as the overflowed buffer, there exists the possibility those stream pointers have been smashed; if those stream pointers have been smashed, I would NOT be confident in claiming this buffer overflow poses no problem. Remember that the latest OpenSSH vulnerabilities relied on the cleanup behaviour embedded throughout the code. (A call to a fatal-death function wasn't as fatal as the name would indicate. Oops.) -- A: No. Q: Should I include quotations after my reply?
Attachment:
_bin
Description:
Current thread:
- Buffer overflow/privilege escalation in MacOS X Max (Dec 15)
- Re: Buffer overflow/privilege escalation in MacOS X David Riley (Dec 18)
- <Possible follow-ups>
- Re: Buffer overflow/privilege escalation in MacOS X Dave G . (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Seth Arnold (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Mariusz Woloszyn (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Max (Dec 16)