Re[2]: memcpy with negative length and destination on heap - exploitable?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello dullien,



--Wednesday, December 26, 2001, 6:13:30 PM, you wrote to 3APA3A () SECURITY NNOV RU:


3>>    memcpy(dst,  src  +  POSITION  +  1,  len);  len is too long then
3>>    converted  to  size_t  and memcpy will crash... Is it possible to
3>>    avoid  it  if destination buffer is on heap? Program is available
3>>    on all possible platforms :)

dgd> If  it  happens  on  the  stack  (under  NT),  you might be able to
dgd> overwrite SEH structures before segfaulting and thus gain control.


If  it  happens  on  the  stack  it  may  be possible to overwrite 'len'
argument  with  any desired value. If memcpy() doesn't use register copy
of  len  (for  example one from libuucp) it makes it possible to exploit
it.


-- 
~/ZARAZA
Èáî ôàêòû åñòü ôàêòû, è èçëîæåíû îíè ëèøü äëÿ òîãî, ÷òîáû èõ ïîíÿëè è â íèõ ïîâåðèëè. (Òâåí)