Vulnerability Development mailing list archives
RE: Buffer UNDERFLOWS: What do you know about it?
From: Chris Anley <chris () ngssoftware com>
Date: Wed, 14 Jan 2004 17:01:29 +0000 (GMT Standard Time)
Just for historical accuracy, Mark Litchfield of NGS found this bug, and was working with Apache to fix it. ISS then released their advisory without consulting Apache. See below for some press from the time... http://theregister.co.uk/content/4/25766.html http://news.zdnet.co.uk/software/0,39020381,2111994,00.htm Re: Buffer underflows. I guess if you have a situation where you control a static buffer in a parent function and then pop too many times in the child then that could be exploitable, since the saved return address could be in the data you control. I've never seen this though. Signedness errors are usually overflows. You see lots of cases where folks aren't expecting a negative return code from a function that normally returns a length (e.g. recv()) and mess up their array indexing, and wind up referencing buff[-1] or something. Null terminating data obtained from recv() is a classic case of this. I guess, in a strange kind of way, the va_arg issue that format string bugs are based on is kind of an underflow, in that the specified quantity of 'things' to be read is more than there are available, so the 'things' get read from the next location on the stack. Come to think of it, I'm not sure how you'd define an underflow. Taking too much out, rather than putting too much in? Referencing a negative offset in an array? Interesting stuff though. -chris. On Mon, 12 Jan 2004, OUAH wrote:
hi,I've been thinking about it for few days, Googling, looking forpapers, articlesor whatever over the internet, but there is scant material about it. So I decided ask what you guys know about it?there was a famous bug in Apache in the beginning-middle of 2002 (known as apach chunked vuln) discovered by ISS and successfully exploited by GOBBLES. If it was strictly speaking a classical heap overflow ("overrrun"), the way GOBBLES exploited it in openbsd systems is like a buffer "underrun". (With the heap overflow, they can controled the last argument of a memcpy() call. And by rending this argument negative in openbsd , memcpy() copy in the backward direction.) my 2 cents about buffer underruns.. -------- OUAH
Current thread:
- Buffer UNDERFLOWS: What do you know about it? Julio e2fsck Cesar (Jan 10)
- <Possible follow-ups>
- RE: Buffer UNDERFLOWS: What do you know about it? OUAH (Jan 13)
- RE: Buffer UNDERFLOWS: What do you know about it? Chris Anley (Jan 14)