Vulnerability Development mailing list archives
Re: hardware protection for format string attacks
From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 4 Dec 2001 09:35:34 +0100 (EET)
On Wed, 28 Nov 2001, Juliano Rizzo wrote:
Does anyone successfuly exploited any format string vulnerability on PA-RISC architecture (on any other archjitecture with aligned memory access)???Yes and there are publicly available exploits for these architectures (wuftpd site exec, irix telnetd)
MIPS!=PA-RISC. Irix telnetd uses GOT overwrite aproach which cannot be used on HP-UX.
unaligned address i'm getting SIGBUS.Actually, you have several ways to write values to memory using format strings, you can use one %n, four %n, two %hn, etc. Different combinations of these format modifiers will let you overcome the limitations you proposed.
I'm exploting syslog() which stops to interprete format string after printing 2048 characters. Also fout %n wont work (unaligned access). -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
Current thread:
- Re: hardware protection for format string attacks Mariusz Woloszyn (Dec 04)