[12516] in bugtraq
Re: ImmuniX OS Security Alert: StackGuard 1.21 Released
daemon@ATHENA.MIT.EDU (Gerardo Richarte)
Wed Nov 10 15:21:11 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3829B8BD.ABD3BCF9@core-sdi.com>
Date: Wed, 10 Nov 1999 15:20:19 -0300
Reply-To: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
From: Gerardo Richarte <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Crispin Cowan wrote:
Consider this vulnerable code:
foo(char * arg) {
char * p = arg; // a vulnerable pointer
char a[25]; // the buffer that makes the pointer vulnerable
gets(a); // using gets() makes you vulnerable
gets(p); // this is the good part
}
In attacking this code, the attacker first overflows the buffer a[]
with
a goal of changing the value of the char * p pointer. Specifically,
the attacker can cause the p pointer to point anywhere in memory,
but especially at a return address record in an activation record.
When the program then takes input and stores it where p points, the
input data is stored where the attacker said to store it.
I think that having this kind of overflow available, StackWard is
still vulnerable to a little smarter attack.
You may think that this code example is too tricky, but there was a
buffer overflow in bind's inverse query
(http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This
makes me remember of some code I wrote to exploit this for Sparcs, as
it was just one call deep, it was imposible to overwrite the return
address, so, by using a memcpy() to a pointer I could overwrite (like
that one in
the example code) I overwrited part of the libc in memory, lets say
printf, so when the program called printf() after the second memcpy(),
instead of calling the original printf() it called my code: Here you
have an exploit that can be used still if you have StackWard.
Am I wrong?
Gerardo Richarte
--
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com
--- For a personal reply use gera@core-sdi.com
