Vulnerability Development mailing list archives
Re[2]: Apache Exploit
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 20 Jun 2002 18:40:55 -0400 (EDT)
On Thu, 20 Jun 2002 dullien () gmx de wrote:
Please excuse if this is gibberish as it is coming from a Win-centric programmer who does not know much about signals, but has anyone actually tried to exploit memcpy(heapaddr, src, negative) by triggering signals on time? Doesn't the signal handler restart certain functions after it is done ?
Signal handlers, in some circumstances, restart blocking syscalls that were due when the signal was delivered. They do not restart library (= user space) code. This code is simply continued. This is not to say that delivering signals is not the way to exploit problems like that - conditions that would otherwise lead directly to SEGV because of access to non-allocated memory, for example. Quite (un)fortunately, there are only two signals that could be perhaps delivered to Apache (which, keep in mind, is running as a standalone daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the handler does something interesting, which I'm not so sure about (but haven't looked in a while). -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- Re: Apache Exploit, (continued)
- Re: Apache Exploit Michal Zalewski (Jun 20)
- Message not available
- Re: Apache Exploit Randy Taylor (Jun 21)
- Re: Apache Exploit David Bernick (Jun 21)
- Re: Apache Exploit T0aD (Jun 22)
- Re: Apache Exploit Alex Balayan (Jun 23)
- Re: Apache Exploit Randy Taylor (Jun 24)
- Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit Stefan Esser (Jun 20)
- Re[2]: Apache Exploit dullien (Jun 20)
- Re[2]: Apache Exploit Michal Zalewski (Jun 20)
- Re: Apache Exploit Jefferson Ogata (Jun 20)
- Re: Apache Exploit Michal Zalewski (Jun 21)
- Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Stefan Esser (Jun 21)
- Re: Apache Exploit Ben Laurie (Jun 26)