Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

[Syzop <syz () dds nl>]

Anibal Ambertin wrote:

> > in the case of sigaction the signum was set to 10 or SIGUSR1 and all other
> > arguments were overwritten with  0x41414141  I was wondering if this
> > could cause any added risk to the x86 versions of apache... maybe some
> > signaling ninja would help?
>     I don't think this could be usefull for an attacker, since the only
> thing you can do is to change  the sigaction parameters, which doesn't imply
> any risk at all (unless you can write the members of the sigaction structure
> and make it go to another internal function -which should be part of the
> vulnerable program, in this case, apache-).

If you control the parameters, then you can change the pointer to the sigaction struct,
point it to somewhere in memory which you can controll, create your own struct there
with .sa_handler (first four bytes in the struct) pointed to your shellcode.
I did this struct stuff in my (old) splitvt exploit.
--
void sighandler() { printf("Called!\n"); exit(0); }

int main() {
int *a = 0x11223344;
char buf[] = "XXXXAAAAAAAAAAAA";
long *p = (long *)buf;
        *p = &sighandler;
        sigaction(11, buf, buf);
        *a = 5; /* crash */
}
--
(NOTE: you might want to use another value then aaaa/aaaa for the
 other parameters :P).

Ofcourse I could have misunderstood what exactly you KF controlls,

Cya,

   Syzop.