Dailydave mailing list archives
Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!")
From: Joel Eriksson <je () bitnux com>
Date: Sat, 18 Mar 2006 16:05:49 +0100
I haven't played around with the bug myself, but this is how I understand the bug from Zalewskis description. For each tag in a page there is an array with the IDs of the event-handlers connected to it. Obviously, this array can be overflown, which is not so weird in itself. However, the data that is overwritten during this overflow is actually an array index/offset. I'm not sure if I would consider it a "weird" bug, all sorts of things may get overwritten during an overflow, including array indices. What's a bit funny in this case is that we only indirectly control the value to write, that this value multiplied by four must be a reasonably small value to be useful and that the large event-handler ID numbers multiplied by four happens to become relatively small numbers due to an integer overflow. For those of you that have taken a closer look at this bug yourself, feel free to correct me if any of my assumptions were false. :) Best Regards, Joel Eriksson On Fri, Mar 17, 2006 at 01:49:54PM -0500, Steven M. Christey wrote:
Pardon my ignorance, but what exactly is weird about this? Near as I can tell from the advisory, it's related to a whole bunch of arguments that are incrementally added to an array, which ultimately results in an out-of-bounds array index. If in fact that's what's going on, this "piecemeal" buffer overflow construction might be unusual and rarely reported, but it doesn't seem that weird. Clarification appreciated for lamerz like me :) Thanks, Steve
-- Best Regards, Joel Eriksson ------------------------------------------------- Cellphone: +46-70 228 64 16 Home: +46-18-30 35 55 Security Research & Systems Development at Bitnux PGP Key Server pgp.mit.edu, PGP Key ID 0x08811B44 DF38 5806 0EFB 196E E4B6 34B5 4C01 73BB 0881 1B44 -------------------------------------------------
Current thread:
- Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Steven M. Christey (Mar 18)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Exploitation of EIP with only ASCII H D Moore (Mar 19)
- Re: Exploitation of EIP with only ASCII Halvar Flake (Mar 20)
- Re: Exploitation of EIP with only ASCII Andrew Christensen (Mar 21)
- Re: Exploitation of EIP with only ASCII jnf (Mar 22)
- Exploitation of EIP with only ASCII CIRT.DK Mailinglists (Mar 19)
- Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!") Joel Eriksson (Mar 18)