Re: ImmuniX OS Security Alert: StackGuard 1.21 Released

[core.lists.bugtraq () CORE-SDI COM (Gerardo Richarte)]

Crispin Cowan wrote:

   Consider this vulnerable code:

   foo(char * arg) {
       char *    p = arg;    // a vulnerable pointer
       char a[25];    // the buffer that makes the pointer vulnerable

       gets(a);    // using gets() makes you vulnerable
       gets(p);    // this is the good part
   }

   In attacking this code, the attacker first overflows the buffer a[]
with
   a goal of changing the value of the char * p pointer.  Specifically,
   the attacker can cause the p pointer to point anywhere in memory,
   but especially at a return address record in an activation record.
   When the program then takes input and stores it where p points, the
   input data is stored where the attacker said to store it.

    I think that having this kind of overflow available, StackWard is
still vulnerable to a little smarter attack.
    You may think that this code example is too tricky, but there was a
buffer overflow in bind's inverse query
(http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This
makes me remember of some code I wrote to exploit this for Sparcs, as
it was just one call deep, it was imposible to overwrite the return
address, so, by using a memcpy() to a pointer I could overwrite (like
that one in
the example code) I overwrited part of the libc in memory, lets say
printf, so when the program called printf() after the second memcpy(),
instead of calling the original printf() it called my code: Here you
have an exploit that can be used still if you have StackWard.

    Am I wrong?

    Gerardo Richarte

--
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com