Vulnerability Development mailing list archives
Re: Apache Exploit
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 20 Jun 2002 20:12:54 +0400
Dear Stefan Esser, --Thursday, June 20, 2002, 12:30:48 PM, you wrote to bugtraq () securityfocus com: SE> here is my little explanation how bsd memcpy can be exploited: SE> ... SE> 1: SE> addl %ecx,%edi /* copy backwards. */ SE> addl %ecx,%esi SE> std SE> [1] andl $3,%ecx /* any fractional bytes? */ SE> decl %edi SE> decl %esi SE> rep SE> movsb SE> [X] movl 20(%esp),%ecx /* copy remainder by words */ SE> shrl $2,%ecx SE> subl $3,%esi SE> subl $3,%edi SE> rep SE> movsl SE> ... SE> In Apache we trigger exactly this piece of code: bsd thinks the two SE> buffers are overlapping and so it wants to copy backward. SE> The problem is that you are able to overwrite the call to memcpy SE> including the supplied paramters (dst, src, length). With up to Do not say bsd. At least FreeBSD doesn't use supplied parameters in main loop. It copies supplied parameters to register variables register char *dst = dst0; register const char *src = src0; register size_t t; before starting this loop and never back to original values. It makes it impossible to exploit this vulnerability in a way you described. Nearly same bug was in many RADIUS servers (but with destination on heap, it makes it impossible to exploit it). So, I've started discussion about it on vuln-dev some time ago . See "memcpy with negative length and destination on heap - exploitable?" thread http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1 specially http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2 -- ~/ZARAZA Бросьте стараться - ничего из этого не выйдет. (Твен)
Current thread:
- Apache Exploit Stefan Esser (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 20)
- Message not available
- Re: Apache Exploit Randy Taylor (Jun 21)
- Re: Apache Exploit David Bernick (Jun 21)
- Re: Apache Exploit T0aD (Jun 22)
- Re: Apache Exploit Alex Balayan (Jun 23)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Blue Boar (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 21)
- Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 21)
- Re: Apache Exploit Ben Laurie (Jun 26)