Vulnerability Development mailing list archives

Re[2]: Apache Exploit

From: dullien () gmx de
Date: Thu, 20 Jun 2002 12:29:30 -0700

Hey Stefan, 3APA3A

3> Nearly  same  bug  was  in  many RADIUS servers (but with destination on
3> heap, it makes it impossible to exploit it). So, I've started discussion
3> about  it  on  vuln-dev some time ago . See "memcpy with negative length
3> and      destination      on     heap     -     exploitable?"     thread
3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1
3> specially
3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2

Please excuse if this is gibberish as it is coming from a Win-centric
programmer who does not know much about signals, but
has anyone actually tried to exploit memcpy(heapaddr, src, negative)
by triggering signals on time ? Doesn't the signal handler restart
certain functions after it is done ? Once the heap is garbled any heap
operation can have nasty consequences, so if these functions which are
restarted manipulate the heap one could be in business.

Cheers,
dullien () gmx de

Current thread:

Re: Apache Exploit, (continued)
- - Re: Apache Exploit Randy Taylor (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 20)
    - Message not available
    - Re: Apache Exploit Randy Taylor (Jun 21)
    - Re: Apache Exploit David Bernick (Jun 21)
    - Re: Apache Exploit T0aD (Jun 22)
    - Re: Apache Exploit Alex Balayan (Jun 23)
    - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 21)
    - Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Ben Laurie (Jun 21)
  - Re: Apache Exploit Stefan Esser (Jun 21)
    - Re: Apache Exploit Ben Laurie (Jun 26)