Vulnerability Development mailing list archives
Re[2]: Apache Exploit
From: dullien () gmx de
Date: Thu, 20 Jun 2002 12:29:30 -0700
Hey Stefan, 3APA3A 3> Nearly same bug was in many RADIUS servers (but with destination on 3> heap, it makes it impossible to exploit it). So, I've started discussion 3> about it on vuln-dev some time ago . See "memcpy with negative length 3> and destination on heap - exploitable?" thread 3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1 3> specially 3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2 Please excuse if this is gibberish as it is coming from a Win-centric programmer who does not know much about signals, but has anyone actually tried to exploit memcpy(heapaddr, src, negative) by triggering signals on time ? Doesn't the signal handler restart certain functions after it is done ? Once the heap is garbled any heap operation can have nasty consequences, so if these functions which are restarted manipulate the heap one could be in business. Cheers, dullien () gmx de
Current thread:
- Re: Apache Exploit, (continued)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 20)
- Message not available
- Re: Apache Exploit Randy Taylor (Jun 21)
- Re: Apache Exploit David Bernick (Jun 21)
- Re: Apache Exploit T0aD (Jun 22)
- Re: Apache Exploit Alex Balayan (Jun 23)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit Randy Taylor (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 21)
- Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 21)
- Re: Apache Exploit Ben Laurie (Jun 26)