Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: Apache Exploit

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 20 Jun 2002 18:40:55 -0400 (EDT)
On Thu, 20 Jun 2002 dullien () gmx de wrote:


Please excuse if this is gibberish as it is coming from a Win-centric
programmer who does not know much about signals, but
has anyone actually tried to exploit memcpy(heapaddr, src, negative)
by triggering signals on time? Doesn't the signal handler restart
certain functions after it is done ?


Signal handlers, in some circumstances, restart blocking syscalls that
were due when the signal was delivered. They do not restart library (=
user space) code. This code is simply continued.

This is not to say that delivering signals is not the way to exploit
problems like that - conditions that would otherwise lead directly to SEGV
because of access to non-allocated memory, for example. Quite
(un)fortunately, there are only two signals that could be perhaps
delivered to Apache (which, keep in mind, is running as a standalone
daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the
handler does something interesting, which I'm not so sure about (but
haven't looked in a while).

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/
Previous By Date Next
Previous By Thread Next

Current thread: