Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Buffer UNDERFLOWS: What do you know about it?

From: Chris Anley <chris () ngssoftware com>
Date: Wed, 14 Jan 2004 17:01:29 +0000 (GMT Standard Time)
Just for historical accuracy, Mark Litchfield of NGS found this bug, and
was working with Apache to fix it. ISS then released their advisory
without consulting Apache. See below for some press from the time...

http://theregister.co.uk/content/4/25766.html
http://news.zdnet.co.uk/software/0,39020381,2111994,00.htm

Re: Buffer underflows. I guess if you have a situation where you control a
static buffer in a parent function and then pop too many times in the
child then that could be exploitable, since the saved return address
could be in the data you control. I've never seen this though.

Signedness errors are usually overflows.

You see lots of cases where folks aren't expecting a negative return code
from a function that normally returns a length (e.g. recv()) and mess up
their array indexing, and wind up referencing buff[-1] or something. Null
terminating data obtained from recv() is a classic case of this.

I guess, in a strange kind of way, the va_arg issue that format string
bugs are based on is kind of an underflow, in that the specified quantity
of 'things' to be read is more than there are available, so the 'things'
get read from the next location on the stack.

Come to think of it, I'm not sure how you'd define an underflow. Taking
too much out, rather than putting too much in? Referencing a negative
offset in an array? Interesting stuff though.

     -chris.

On Mon, 12 Jan 2004, OUAH wrote:


hi,


I've been thinking about it for few days, Googling, looking for

papers, articles

or whatever over the internet, but there is scant material about it.
So I decided ask what you guys know about it?


there was a famous bug in Apache in the beginning-middle of 2002 (known
as apach chunked vuln) discovered
by ISS and successfully exploited by GOBBLES. If it was strictly
speaking a classical heap overflow ("overrrun"), the
way GOBBLES exploited it in openbsd systems is like a buffer "underrun".
(With the heap overflow, they can controled the last argument of a
memcpy() call.  And by rending this argument negative in openbsd ,
memcpy() copy in the backward direction.)

my 2 cents about buffer underruns..

--------
OUAH
Previous By Date Next
Previous By Thread Next

Current thread: