[32873] in bugtraq
Re: Buffer overflow/privilege escalation in MacOS X
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Tue Dec 16 14:49:00 2003
Date: Tue, 16 Dec 2003 19:15:13 +0100 (CET)
From: Mariusz Woloszyn <emsi@ipartners.pl>
To: "Dave G." <daveg@atstake.com>
Cc: Max <rusmir@tula.net>, bugtraq@securityfocus.com
In-Reply-To: <C8B8BCD5-2F50-11D8-BB15-000A957DA3A8@atstake.com>
Message-ID: <Pine.LNX.4.58.0312161906140.30123@dzyngiel.ipartners.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
On Mon, 15 Dec 2003, Dave G. wrote:
> Indeed. However, due to several mitigating factors, this issue doe not
> appear to be exploitable (at least not with any of the techniques I am
> aware of). The overflow occurs in main() and there is an unavoidable
> exit() at the end of the function. So while you can overwrite the
> return stack frame, the process will never use your new value.
>
But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().
See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.
Regards,
--
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners
