Re: Re: Wierd bugs are cool bugs. (or as halvar would say "deep sea fish are good eatin'!")

[Joel Eriksson <je () bitnux com>]

I haven't played around with the bug myself, but this is how I understand
the bug from Zalewskis description. For each tag in a page there is an array
with the IDs of the event-handlers connected to it. Obviously, this array can
be overflown, which is not so weird in itself. However, the data that is
overwritten during this overflow is actually an array index/offset.

I'm not sure if I would consider it a "weird" bug, all sorts of things may
get overwritten during an overflow, including array indices. What's a bit
funny in this case is that we only indirectly control the value to write,
that this value multiplied by four must be a reasonably small value to
be useful and that the large event-handler ID numbers multiplied by four
happens to become relatively small numbers due to an integer overflow.

For those of you that have taken a closer look at this bug yourself, feel
free to correct me if any of my assumptions were false. :)

Best Regards,
   Joel Eriksson

On Fri, Mar 17, 2006 at 01:49:54PM -0500, Steven M. Christey wrote:
> Pardon my ignorance, but what exactly is weird about this?  Near as I
> can tell from the advisory, it's related to a whole bunch of arguments
> that are incrementally added to an array, which ultimately results in
> an out-of-bounds array index.  If in fact that's what's going on, this
> "piecemeal" buffer overflow construction might be unusual and rarely
> reported, but it doesn't seem that weird.
>
> Clarification appreciated for lamerz like me :)
>
> Thanks,
> Steve

-- 
Best Regards,
   Joel Eriksson
-------------------------------------------------
Cellphone: +46-70 228 64 16 Home: +46-18-30 35 55
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x08811B44
DF38 5806 0EFB 196E E4B6 34B5 4C01 73BB 0881 1B44
-------------------------------------------------