Dailydave mailing list archives
CommuniGate LDAP fun
From: "Evgeny Legerov" <admin () gleg net>
Date: Sat, 04 Feb 2006 04:28:13 +0300
Hi,Those CommuniGate's negative length memcpy bugs are not limited to DoS as it seems at the first glance.
Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1577886800 (LWP 27017)] 0xa268dbbc in memcpy () from /lib/libc.so.6 (gdb) bt #0 0xa268dbbc in memcpy () from /lib/libc.so.6 #1 0x08336404 in STCopyCString () #2 0x082f5b93 in BERPackedData::makeCString () #3 0x081a2ae6 in VLDAPInput::deleteDN () #4 0x0819d585 in VLDAPInput::processInput () #5 0x08285f9b in VStream::worker () #6 0x08286d91 in VStream::starter () #7 0x0833ddd1 in STThreadStarter () #8 0xa277fb80 in start_thread () from /lib/libpthread.so.0 #9 0xa26ecdee in clone () from /lib/libc.so.6 (gdb) x/10i $eip 0xa268dbbc <memcpy+28>: repz movsl %ds:(%esi),%es:(%edi) 0xa268dbbe <memcpy+30>: mov %eax,%edi 0xa268dbc0 <memcpy+32>: mov %edx,%esi 0xa268dbc2 <memcpy+34>: mov 0x4(%esp),%eax 0xa268dbc6 <memcpy+38>: ret 0xa268dbc7 <memcpy+39>: nop 0xa268dbc8 <_wordcopy_fwd_aligned>: push %ebp 0xa268dbc9 <_wordcopy_fwd_aligned+1>: mov %esp,%ebp 0xa268dbcb <_wordcopy_fwd_aligned+3>: push %edi 0xa268dbcc <_wordcopy_fwd_aligned+4>: push %esi (gdb) i r esi edi ecx esi 0x85ec000 140427264 edi 0x85e6f97 140406679 ecx 0x3fffc3ec 1073726444 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x08330f32 in STExceptionSignal () (gdb) x/10i $eip 0x8330f32 <STExceptionSignal+74>: mov (%edx),%eax 0x8330f34 <STExceptionSignal+76>: call *%eax 0x8330f36 <STExceptionSignal+78>: add $0x4,%esp 0x8330f39 <STExceptionSignal+81>: mov %eax,%eax 0x8330f3b <STExceptionSignal+83>: push %eax0x8330f3c <STExceptionSignal+84>: call 0x834e2dc <cString__C8STString>
0x8330f41 <STExceptionSignal+89>: add $0xc,%esp 0x8330f44 <STExceptionSignal+92>: mov %eax,%eax 0x8330f46 <STExceptionSignal+94>: push %eax 0x8330f47 <STExceptionSignal+95>: push $0x83e0c48 (gdb) i r edx eax edx 0x4d4d4d61 1296911713 eax 0x85d9918 140351768Note that as the payload I used a large string consisting of '0x4d' chars.
(gdb) bt #0 0x08330f32 in STExceptionSignal () #1 <signal handler called> #2 0xa268dbbc in memcpy () from /lib/libc.so.6 #3 0x08336404 in STCopyCString () #4 0x082f5b93 in BERPackedData::makeCString () #5 0x081a2ae6 in VLDAPInput::deleteDN () #6 0x0819d585 in VLDAPInput::processInput () #7 0x08285f9b in VStream::worker () #8 0x08286d91 in VStream::starter () #9 0x0833ddd1 in STThreadStarter ()#10 0xa277fb80 in start_thread () from /lib/libpthread.so.0
#11 0xa26ecdee in clone () from /lib/libc.so.6 Best regards, Evgeny Legerov CEO, GLEG Ltd.
Current thread:
- CommuniGate LDAP fun Evgeny Legerov (Feb 04)