Bugtraq mailing list archives

Re: Buffer overflow/privilege escalation in MacOS X

From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 16 Dec 2003 19:15:13 +0100 (CET)

On Mon, 15 Dec 2003, Dave G. wrote:

Indeed.  However, due to several mitigating factors, this issue doe not
appear to be exploitable (at least not with any of the techniques I am
aware of).  The overflow occurs in main() and there is an unavoidable
exit() at the end of the function.  So while you can overwrite the
return stack frame, the process will never use your new value.

But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().

See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.

Regards,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners

Current thread:

Buffer overflow/privilege escalation in MacOS X Max (Dec 15)
- Re: Buffer overflow/privilege escalation in MacOS X David Riley (Dec 18)
- <Possible follow-ups>
- Re: Buffer overflow/privilege escalation in MacOS X Dave G . (Dec 16)
  - Re: Buffer overflow/privilege escalation in MacOS X Seth Arnold (Dec 16)
  - Re: Buffer overflow/privilege escalation in MacOS X Mariusz Woloszyn (Dec 16)
- Re: Buffer overflow/privilege escalation in MacOS X Max (Dec 16)