Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 14 May 2003 15:14:39 -0000
In-Reply-To: <003001c319a0$30ff10f0$0100a8c0 () clippership com> Well, I dunno about others on this list, but this old vuln by Solar Designer gives some good hints: http://www.securityfocus.com/archive/1/71598 Seems like convincing free() to write to __free_hook or another pointer to code would work well here, although I'm not certain it's possible given the limited amount of data that can be tweaked in the malloc() bookkeeping info if the overwrite is indeed happening in buf1 and is only a single byte. 'Course it's a little hard to keep track of without the benefit of gdb. Wish I had a linux box to play with at the moment :{ Cheers, ~ol
If I supply an argv[1] of > 252 bytes, then byte 253 may (depending on many factors) overwrite the first byte of buf2. This is going to be (I think) part of the size of the malloc'd buf2. What interesting things can happen when you then free() an incorrectly-sized buf2 (or otherwise operate on buf2 if this were a real program) is something I am anxious to learn from others on this list!
Current thread:
- Re: Administrivia: List Announcement, (continued)
- Re: Administrivia: List Announcement xenophi1e (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- Re: Administrivia: List Announcement Eric Haugh (May 13)
- Re: Administrivia: List Announcement Nexus (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 13)
- Re: Administrivia: List Announcement Wynn Fenwick (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 14)
- RE: Administrivia: List Announcement Michael Wojcik (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 13)