Vulnerability Development mailing list archives

Re: Must coredump? No. (Was: Local root through vuln...)

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 24 Aug 2000 02:00:13 +0200

Thinking of it, the last assumption is a bit dangerous. I still think it
to be true, but theoreticly a data overflow could do something really
funny - like overwriting a formation string. Exploiting one vulnerability
to exploit yet another :)


Wrote a demo of this idea. It's rather obvious but I simply didn't fall to
sleep until I did it. Probably real applications aren't this obviously
vulnerable, but some may have similar bugs less obvious... Notice that the
first vulnerability, the overflowable data, doesn't actually cause any
coredump while sizes are <204. In a more complex program, maybe this had
been missed or it wouldn't have coredumped at all. I guess it depends on
the source, the compiler, the architecture and god knows what else.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

[bluefish@blue playground]$ cat vuln_do.c
#include <stdio.h>

main() {
 char s1[100],s2[100];
 strcpy(s1,"This example should demonstrate a dataoverflow\n");

 gets(s2); // overflowable......

 printf(s1);
}

[bluefish@blue playground]$ gcc -o vuln_do vuln_do.c
/tmp/ccteQVjy.o: In function `main':
/tmp/ccteQVjy.o(.text+0x22): the `gets' function is dangerous and should
not be used.

[bluefish@blue playground]$ echo "" | ./vuln_do
This example should demonstrate a dataoverflow

[bluefish@blue playground]$ perl -e 'print"A"x100 . "This is exploitable,
eh?";' | ./vuln_do
This is exploitable, eh?

[bluefish@blue playground]$ perl -e 'print"A"x100 . "Lets try formatation
bug! %s%s%s%s%s";' | ./vuln_do

[bluefish@blue playground]$ strings core | grep AAA
AAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALets
try formatation bug! %s%s%s%s%s
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALets
try formatation bug! %s%s%s%s%s

Current thread:

Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 23)
- Re: Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 23)
- Re: Must coredump? No. (Was: Local root through vuln...) Daniel Jacobowitz (Aug 24)
  - Re: Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 25)