Vulnerability Development mailing list archives
Re: Overflows due to unexpected casts
From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Fri, 21 Jan 2000 10:31:46 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
A thing which I am not certain about is, could such overflows be used to execute arbitrary code? E.g., will they always segfault prior to the point of copying the huge strings to the destination, or do they first try to return, leaving the possibility of executing code on the stack? Anyways,
This depends on what happens after the overflow occurs. The execution of the function causing the overflow will complete (in this case memcpy), trashing the stack (if the target variable is actually on the stack). In your function, it looks like the target variable is either on the stack in another function, or on the heap. Without seeing the calling functions, and where these variables are located, it's not possible to say whats happening. memcpy overflows are very trivial to exploit, if they are overwriting a stack variable. The reason being that you don't need to worry about NULL's, anything can be copied onto the stack. Every overflow is unique to exploit, sometimes there are many operations that occur after the overflow (within the same function), and these operations reference pointers on the stack (which you then must also overwrite to point back to a valid location, or else they reference random memory and the program will crash). One of the most interesting overflows I had ever found that used memcpy was in BIND, causing numerous network services and clients to be vulnerable to an overflow.. see the following url for details http://www.nai.com/nai_labs/asp_set/advisory/01_binduntrusted_adv.asp If you goto the library section on securityfocus.com and search for overflow, you'll find many papers by people who have spent much more time researching this than myself. Take care, - - Oliver securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOIik68m4FXxxREdXEQKVqQCfYu1S1M4K150Yso6yCKez/KviYf8AoLkM /YbLuQzTo35TV0LITSYjXUV/ =/Uqm -----END PGP SIGNATURE-----
Current thread:
- Re: Overflows due to unexpected casts Oliver Friedrichs (Jan 21)