lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 24 Aug 2004 03:50:37 -0700
From: <ktha@...h.com>
To: bugtraq@...urityfocus.com
Subject: Re: [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I think that the isprint() check is NOT limiting the exploitation of
this bug at all. You can still exploit this vulnerability by overwriting
stack frames (you can read more about it here: http://www.phrack.org/show.php?p=59&a=7)
and by using the shellcode as the password field which will be located
on the heap. So, this would be exploitable even on no-exec stacks. There
are some limitations of this technique, it does not work on latest Linux
glibcs, but on FreeBSD and Solaris is doable.
I've attached a first version of my exploit for this vulnerability; it
was tested on a FreeBSD 4.10-RELEASE, thanks to andrewg.

>this can't be exploited to execute code, as any non printable characters
are
>turned into '.' before the buffer is passed to fprintf().  well actually,
 if
>there is some platform where the relevant addresses can be reached with
only
>printable characters it's possible, but i'm not aware of any such platform.
>


Andrei Catalin aka ktha
   ktha at hush dot com

[ Need a challenge ?                  ]
[    Visit http://www.pulltheplug.com ]
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkErHYEACgkQsV/nUjPdEq5v3ACghGvRGHH0swz60I0V9d6wq66j8rYA
oKmE0Amk48PZ7wgEkbT851sl0fJA
=N/5B
-----END PGP SIGNATURE-----


Download attachment "sm00ny-courier_imap_fsx.c" of type "application/octet-stream" (11541 bytes)

View attachment "sm00ny-courier_imap_fsx.c.sig" of type "text/plain" (203 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ