Vulnerability Development mailing list archives

Re: Apache Exploit

From: Stefan Esser <sesser () php net>
Date: Thu, 20 Jun 2002 18:26:30 +0200

On Thu, Jun 20, 2002 at 08:12:54PM +0400, 3APA3A wrote:


Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
loop. It copies supplied parameters to register variables

        register char *dst = dst0;
        register const char *src = src0;
        register size_t t;

before starting this loop and never back to original values. It makes it
impossible to exploit this vulnerability in a way you described.


Sorry, but the code was directly taken from FreeBSD cvs. You can look as
long you want into the generic bcopy.c file. For x86 you must look at the
assembler implementation. And this is what runs on x86. Beside that I 
tested this on FreeBSD and it worked like a charm. 

Stefan Esser - e-matters Security

Current thread:

Re: Apache Exploit, (continued)
- Re: Apache Exploit Blue Boar (Jun 20)
  - Re: Apache Exploit Randy Taylor (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 20)
    - Message not available
    - Re: Apache Exploit Randy Taylor (Jun 21)
    - Re: Apache Exploit David Bernick (Jun 21)
    - Re: Apache Exploit T0aD (Jun 22)
    - Re: Apache Exploit Alex Balayan (Jun 23)
    - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 21)
    - Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Ben Laurie (Jun 21)
  - Re: Apache Exploit Stefan Esser (Jun 21)
    - Re: Apache Exploit Ben Laurie (Jun 26)