lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.58.0312161906140.30123@dzyngiel.ipartners.pl>
Date: Tue, 16 Dec 2003 19:15:13 +0100 (CET)
From: Mariusz Woloszyn <emsi@...rtners.pl>
To: "Dave G." <daveg@...take.com>
Cc: Max <rusmir@...a.net>, bugtraq@...urityfocus.com
Subject: Re: Buffer overflow/privilege escalation in MacOS X


On Mon, 15 Dec 2003, Dave G. wrote:

> Indeed.  However, due to several mitigating factors, this issue doe not
> appear to be exploitable (at least not with any of the techniques I am
> aware of).  The overflow occurs in main() and there is an unavoidable
> exit() at the end of the function.  So while you can overwrite the
> return stack frame, the process will never use your new value.
>
But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().

See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.

Regards,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ