Vulnerability Development mailing list archives
Re: Administrivia: List Announcement
From: "Nexus" <nexus () patrol i-way co uk>
Date: Tue, 13 May 2003 22:24:14 +0100
----- Original Message ----- From: "xenophi1e" <oliver.lavery () sympatico ca> [snip]
Off-by-one. Third arg should be SIZE-1 to leave room for the terminating NULL. This error should lead to a heap based vulnerability when the memory is free()d.
To take it one stage further, assuming the sample program is called buggy.c: (Using linux as debugging on win32 is not email friendly ;-) [nexus@wulfgar insecure]$ gcc buggy.c -g -o buggy [nexus@wulfgar insecure]$ ./buggy `perl -e 'print "A"x253;print " ";print "BBBBCCCC";'` Segmentation fault (core dumped) One byte over the buffer size of 252 for the first arg, so we get an exception - looking at what happened: [nexus@wulfgar insecure]$ gdb buggy core.966 GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... Core was generated by `./buggy AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x42074033 in _int_free () from /lib/i686/libc.so.6 There's the exception in free() as mentioned by xenophi1e, do we have any registers at all ? (gdb) info reg eax 0x43434343 1128481603 ecx 0x42424242 1111638594 edx 0x140 320 ebx 0x4212a2d0 1108517584 esp 0xbffff980 0xbffff980 ebp 0xbffff9a8 0xbffff9a8 esi 0x80495f0 134518256 edi 0x100 256 eip 0x42074033 0x42074033 [...] Yup - the second arg is overwriting eax and ecx on this x86 RH8 system, thus we can write arbitrary data into 2 registers. What can we do next ? Cheers.
Current thread:
- RE: vulndev1.c solution (warning SPOILER), (continued)
- RE: vulndev1.c solution (warning SPOILER) Cameron Brown (May 15)
- Re: vulndev1.c solution (warning SPOILER) Kenji Cronos (May 15)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: vulndev-1 exploit. Joel Eriksson (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- RE: Administrivia: List Announcement Gustavo Scotti (May 13)
- RE: Administrivia: List Announcement Oliver Lavery (May 13)
- Re: Administrivia: List Announcement Eric Haugh (May 13)
- Re: Administrivia: List Announcement Nexus (May 13)
- Re: Administrivia: List Announcement Shafik Yaghmour (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 13)
- Re: Administrivia: List Announcement Wynn Fenwick (May 13)
- Re: Administrivia: List Announcement Thiago Canozzo Lahr (May 14)
- Re: Administrivia: List Announcement xenophi1e (May 14)
- RE: Administrivia: List Announcement Michael Wojcik (May 14)