Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Overflows due to unexpected casts

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Fri, 21 Jan 2000 10:31:46 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


A thing which I am not certain about is, could such overflows
be used to execute arbitrary code? E.g., will they always segfault
prior  to the point of copying the huge strings to the destination,
or do they  first try to return, leaving the possibility of
executing code on the  stack? Anyways,


This depends on what happens after the overflow occurs.  The
execution of the function causing the overflow will complete (in this
case memcpy), trashing the stack (if the target variable is actually
on the stack).  In your function, it looks like the target variable
is either on the stack in another function, or on the heap.  Without
seeing the calling functions, and where these variables are located,
it's not possible to say whats happening.  memcpy overflows are very
trivial to exploit, if they are overwriting a stack variable.  The
reason being that you don't need to worry about NULL's, anything can
be copied onto the stack.  Every overflow is unique to exploit,
sometimes there are many operations that occur after the overflow
(within the same function), and these operations reference pointers
on the stack (which you then must also overwrite to point back to a
valid location, or else they reference random memory and the program
will crash).

One of the most interesting overflows I had ever found that used
memcpy was in BIND, causing numerous network services and clients to
be vulnerable to an overflow.. see the following url for details

http://www.nai.com/nai_labs/asp_set/advisory/01_binduntrusted_adv.asp

If you goto the library section on securityfocus.com and search for
overflow, you'll find many papers by people who have spent much more
time researching this than myself.

Take care,

- - Oliver
securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOIik68m4FXxxREdXEQKVqQCfYu1S1M4K150Yso6yCKez/KviYf8AoLkM
/YbLuQzTo35TV0LITSYjXUV/
=/Uqm
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: