[32871] in bugtraq
Re: Buffer overflow/privilege escalation in MacOS X
daemon@ATHENA.MIT.EDU (Seth Arnold)
Tue Dec 16 13:53:18 2003
Date: Tue, 16 Dec 2003 09:39:48 -0800
From: Seth Arnold <sarnold@wirex.com>
To: bugtraq@securityfocus.com
Message-ID: <20031216173948.GA8741@wirex.com>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline
In-Reply-To: <C8B8BCD5-2F50-11D8-BB15-000A957DA3A8@atstake.com>
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Dec 15, 2003 at 05:48:21PM -0500, Dave G. wrote:
> The overflow occurs in main() and there is an unavoidable exit() at
> the end of the function. So while you can overwrite the return stack
> frame, the process will never use your new value.
Are you sure about this? exit(3) will perform cleanup functionality with
at least stdio streams before calling exit(2). If FILE * are located in
the same autovariable space as the overflowed buffer, there exists the
possibility those stream pointers have been smashed; if those stream
pointers have been smashed, I would NOT be confident in claiming this
buffer overflow poses no problem.
Remember that the latest OpenSSH vulnerabilities relied on the cleanup
behaviour embedded throughout the code. (A call to a fatal-death
function wasn't as fatal as the name would indicate. Oops.)
--=20
A: No.
Q: Should I include quotations after my reply?
--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/30Nj+9nuM9mwoJkRAsRjAKCUOQgVIDAqhvnz6+BlOXUbVIMYbACeKryH
6ikzSQXNyUPKVLfP5XaDO6g=
=nFrV
-----END PGP SIGNATURE-----
--+HP7ph2BbKc20aGI--
