Full Disclosure mailing list archives
Re: format strings on HP-UX
From: "Bruce Ediger" <eballen1 () qwest net>
Date: Mon, 20 Jan 2003 15:32:19 -0700 (MST)
On Mon, 20 Jan 2003 bt () delfi lt wrote:
Are they exploitable? I was looking for a format strings exploit on HP-UX,but couldn't find any. Maybe because they are not exploitable???If they are,I would appreaciate very much if anyone could provide some information about that.
I think that's a pretty good question, and I don't have an answer. Since HP-UX runs on HP's "PA" architecture, the answer may very well be "no". The PA architecture has a few oddities: 1. What unix people think of as "stack" and "heap" are reversed relative to how they appear in SPARC, Mips, 68k and x86. The stack is at a lower address than the heap. 2. Stack grows up, heap grows down. This, too, is reversed relative to SPARC, Mips, x86, 68k. I think this implies that "stack underflows" are more exploitable than "stack overflows", but I don't really know for certain. 3. The PA architecture is segmented. HP does their best to hush this up and obfuscate it, but there's a "SR" segment register. I forget exactly how this thing works, but it's *not* like x86. You can only get to a given memory location with 1 combination of SR and 32-bit address. It's possible that stack and heap and ".text segment" live in different segments. 4. The heap and the stack are typically marked "non-executable". I realize this doesn't protect 100% against stack overflows, but it sure makes them harder. All-in-all the PA architecture is a bit hard to get your head around, if you're used to Mips/SPARC/68k big-endian memory arrangments. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- format strings on HP-UX bt (Jan 20)
- Re: format strings on HP-UX KF (Jan 20)
- Re: format strings on HP-UX Bruce Ediger (Jan 20)