Re: hardware protection for format string attacks

[Mariusz Woloszyn <emsi () ipartners pl>]

On Wed, 28 Nov 2001, Juliano Rizzo wrote:

> > Does anyone successfuly exploited any format string vulnerability on
> > PA-RISC architecture (on any other archjitecture with aligned memory
> > access)???
>
> Yes and there are publicly available exploits for these architectures
> (wuftpd site exec, irix telnetd)
MIPS!=PA-RISC.

Irix telnetd uses GOT overwrite aproach which cannot be used on HP-UX.

> > unaligned address i'm getting SIGBUS.
>
> Actually, you have several ways to write values to memory using format
> strings, you
> can use one %n, four %n, two %hn, etc. Different combinations of these
> format modifiers
> will let you overcome the limitations you proposed.
I'm exploting syslog() which stops to interprete format string after
printing 2048 characters. Also fout %n wont work (unaligned access).

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners