Vulnerability Development mailing list archives
Re: hardware protection for format string attacks
From: Juliano Rizzo <core.lists.exploit-dev () core-sdi com>
Date: Wed, 28 Nov 2001 21:13:17 -0300
Mariusz Woloszyn wrote:
Does anyone successfuly exploited any format string vulnerability on PA-RISC architecture (on any other archjitecture with aligned memory access)???
Yes and there are publicly available exploits for these architectures (wuftpd site exec, irix telnetd)
I mean: does architecture here prevents from exploiting it? Format string exploitation using %n requires (let's say) 4 unaligned memory writes to overwrite address in memory. If i try to write to unaligned address i'm getting SIGBUS.
Actually, you have several ways to write values to memory using format strings, you can use one %n, four %n, two %hn, etc. Different combinations of these format modifiers will let you overcome the limitations you proposed. --- for a personal reply use: Juliano Rizzo <juliano.rizzo () corest com>
Current thread:
- hardware protection for format string attacks Mariusz Woloszyn (Nov 28)
- Re: hardware protection for format string attacks Juliano Rizzo (Nov 28)