lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <45CB380D.6020505@65535.com>
Date: Thu, 08 Feb 2007 14:47:41 +0000
From: Neil Kettle <mu-b@...35.com>
To: full-disclosure@...ts.grok.org.uk,  mu-b@...35.com
Subject: Axigen <2.0.0b1 DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

attached are two DoS's used in part to win the beta testing
competition of  Axigen (www.axigen.com) mail server for versions
<2.0.0b1, the vulnerabilities affect all platforms..

The first exploit is a single byte underflow causing a probabilistic
integer overflow in a call to memcpy, it will require around 256
attempts before a reasonable probability of success is achieved.

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231520864 (LWP 8621)]
0xb7d37473 in memmove () from /lib/libc.so.6
(gdb) bt
#0  0xb7d37473 in memmove () from /lib/libc.so.6
#1  0x080a6d02 in ?? ()
#2  0x080a7177 in ?? ()
#3  0x0825afff in ?? ()
#4  0x080a2e77 in ?? ()
#5  0x0834cf6f in ?? ()
#6  0x0834a591 in ?? ()
#7  0x0834611d in ?? ()
#8  0x08373563 in ?? ()
#9  0xb7eda294 in start_thread () from /lib/libpthread.so.0
#10 0xb7d8832e in clone () from /lib/libc.so.6
(gdb) i r
eax            0xffffffff       -1
ecx            0x3f92ce70       1066585712
edx            0xfffffff9       -7
ebx            0x0      0
esp            0xb69872a8       0xb69872a8
ebp            0xb69872d8       0xb69872d8
esi            0xbc9d000        197775360
edi            0xbc9cfff        197775359
eip            0xb7d37473       0xb7d37473 <memmove+35>
eflags         0x10212  [ AF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)


The second problem simply causes a NULL pointer dereference and will
work flawlessly..
-
---------------------------------------------------------------------------
Neil K
(mu-b@...it-labs.org)
(mu-b@...35.com)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyzgN+gf4mLMNJygRCHquAKCsdTkq4ZpcobnNOO1Il6AgbRouYgCfVkY2
5/4UqsuilwccN1ggvchDERU=
=+qy/
-----END PGP SIGNATURE-----

View attachment "doaxigen.c" of type "text/x-csrc" (4957 bytes)

View attachment "doaxigen-v2.c" of type "text/x-csrc" (4639 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ