lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.33.0301201523140.9441-100000@stratigery.local>
From: eballen1 at qwest.net (Bruce Ediger)
Subject: format strings on HP-UX

On Mon, 20 Jan 2003 bt@...fi.lt wrote:

> Are they exploitable?
>
> I was looking for a format strings exploit on HP-UX,but couldn't find
> any. Maybe because they are not exploitable???If they are,I would
> appreaciate very much if anyone could provide some information about
> that.

I think that's a pretty good question, and I don't have an answer.
Since HP-UX runs on HP's "PA" architecture, the answer may very well
be "no".  The PA architecture has a few oddities:

1. What unix people think of as "stack" and "heap" are reversed relative
to how they appear in SPARC, Mips, 68k and x86.  The stack is at a lower
address than the heap.

2. Stack grows up, heap grows down.  This, too, is reversed relative to
SPARC, Mips, x86, 68k.  I think this implies that "stack underflows"
are more exploitable than "stack overflows", but I don't really know
for certain.

3. The PA architecture is segmented.  HP does their best to hush this up
and obfuscate it, but there's a "SR" segment register.  I forget exactly
how this thing works, but it's *not* like x86.  You can only get to a
given memory location with 1 combination of SR and 32-bit address.
It's possible that stack and heap and ".text segment" live in different
segments.

4. The heap and the stack are typically marked "non-executable".  I realize
this doesn't protect 100% against stack overflows, but it sure makes them
harder.

All-in-all the PA architecture is a bit hard to get your head around, if you're
used to Mips/SPARC/68k big-endian memory arrangments.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ