Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Fri, 8 Sep 2000 13:03:00 +0200
(thanks for the links, must have a look at them as soon as I got time for it! :)
i was a bit annoyed by people presenting very simple/basic solutions as 'research' just because they have a degree, and Im always impressed by the impact the name you give something has on its acceptance.. nontheless i apologize for my initial flame.
Ah, agree. The ProPolice report was a quite good example of 'research', it showed that they had studdied other solutions, could motivate why they fought theirs to be better, and actually solved more than one problem.
Regarding those people that have asked me wether i have removed/replaced %s too, im not sure if this question was a serious one or just ironical to show me the stupidity of breaking standards.
Using %s was one of the ways printf was abused. Your mail was easily interpretend as the affair was simple and merely removing %n would solve all printf issues.
In either case the answer is that I have a lot less fear of people reading the memory contents of my (e.g.) httpd, than of them being able to modify memory and thus, possibly, arbitarily altering execution flow. Are there nonpassive(!memory peeking) vulnerabilities related to vfprintf() that i've not heard about yet? If so i'd be very interested in reading more about them.
The emails & the formatation bug reports by cert etc presented after the problems pointed out that printf (and any other varg function with similar pronlems) can modify executation order by POPing arguments until 'return adress' is pointing to another value. If the stack contains a reference to the buffert which is in use, attcker can also supply shellcode (as if being able to modify executation order isn't bad enough) Perhaps we should try to work on an instructive example, as it seems there is still light to be shead on this - or are there some phrack-article or something on this subject? There are plenty on how to do buffert overflows, a small instructive example showing shell code being supplied to snprintf or something could be usefull.
PS: despite the .edu, english isn't my native tongue.. please don't flame me (again) for my writing style.
I haven't made any complaints on your english or writing style, at least
not intentionally.
..:::::::::::::::::::::::::::::::::::::::::::::::::..
http://www.11a.nu || http://bluefish.11a.nu
eleventh alliance development & security team
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 08)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Message not available
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 08)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
- Re: stackguard-like embedded protection typo (Sep 07)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)