Re: MySQL (Linux) Heap Based Overrun PoC Zeroday

[king cope <isowarez.isowarez.isowarez () googlemail com>]

When you look into the heap and stack overrun the first obstacle to
exploit the bugs is that MySQL does not allow all plain 0 to 255
characters, this means the exploiter would have to use unicode
translation in order to exploit the bugs (therefore these are PoCs
only by now). If the exploiter managed to execute code on default
installs without your mentioned protections it might be possible to
circumvent them, to be honest I didn't have a look into these
optimizations and protections, it's hard enough to exploit it without
these restrictions applied.

2012/12/1 Jeffrey Walton <noloader () gmail com>:
> Hi Kingcope,
>
> # As seen below $edx and $edi are fully controlled,
> # the current instruction is
> # => 0x83a6b24 <free_root+180>:   mov    (%edx),%edi
> # this means we landed in a place where 4 bytes can be controlled by 4 bytes
> # with this function pointers and GOT entries can be rewritten to
> execute arbritrary code
>
> Out of curiosity, is this exploitable when using hardened toolchain
> settings? Specifically, -z,noexecheap, -z,now, and -z,relro? For
> no-exec heaps., you need to be on Gentoo or other platforms which
> offer the remediation.
>
> Jeff
>
> On Sat, Dec 1, 2012 at 4:26 PM, king cope
> <isowarez.isowarez.isowarez () googlemail com> wrote:
> > (see attachment)
> >
> > Cheerio,
> >
> > Kingcope
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/