Re: hardware protection for format string attacks

[Juliano Rizzo <core.lists.exploit-dev () core-sdi com>]

Mariusz Woloszyn wrote:
> Does anyone successfuly exploited any format string vulnerability on
> PA-RISC architecture (on any other archjitecture with aligned memory
> access)???

Yes and there are publicly available exploits for these architectures
(wuftpd site exec, irix telnetd)

> I mean: does architecture here prevents from exploiting it?
> Format string exploitation using %n requires (let's say) 4 unaligned
> memory writes to overwrite address in memory. If i try to write to
> unaligned address i'm getting SIGBUS.

Actually, you have several ways to write values to memory using format
strings, you 
can use one %n, four %n, two %hn, etc. Different combinations of these
format modifiers
will let you overcome the limitations you proposed.

--- for a personal reply use: Juliano Rizzo <juliano.rizzo () corest com>