Re: Apache Exploit

From: 3APA3A (3APA3Aat_private)
Date: Thu Jun 20 2002 - 09:12:54 PDT

  • Next message: Peter Grьndl: "KPMG-2002025: Apache Tomcat Denial of Service"

    Dear Stefan Esser,
    --Thursday, June 20, 2002, 12:30:48 PM, you wrote to bugtraqat_private:
    SE> here is my little explanation how bsd memcpy can be exploited:
    SE> ...
    SE> 1:
    SE>         addl    %ecx,%edi       /* copy backwards. */
    SE>         addl    %ecx,%esi
    SE>         std
    SE> [1]     andl    $3,%ecx         /* any fractional bytes? */
    SE>         decl    %edi
    SE>         decl    %esi
    SE>         rep
    SE>         movsb
    SE> [X]     movl    20(%esp),%ecx   /* copy remainder by words */
    SE>         shrl    $2,%ecx
    SE>         subl    $3,%esi
    SE>         subl    $3,%edi
    SE>         rep
    SE>         movsl
    SE> ...
    SE> In Apache we trigger exactly this piece of code: bsd thinks the two
    SE> buffers are overlapping and so it wants to copy backward.
    SE> The problem is that you are able to overwrite the call to memcpy
    SE> including the supplied paramters (dst, src, length). With up to
    Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
    loop. It copies supplied parameters to register variables
            register char *dst = dst0;
            register const char *src = src0;
            register size_t t;
    before starting this loop and never back to original values. It makes it
    impossible to exploit this vulnerability in a way you described.
    Nearly  same  bug  was  in  many RADIUS servers (but with destination on
    heap, it makes it impossible to exploit it). So, I've started discussion
    about  it  on  vuln-dev some time ago . See "memcpy with negative length
    and      destination      on     heap     -     exploitable?"     thread
    Бросьте стараться - ничего из этого не выйдет. (Твен)

    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 11:10:34 PDT