Re[2]: Apache Exploit

From: Michal Zalewski (lcamtufat_private)
Date: Thu Jun 20 2002 - 15:40:55 PDT

    On Thu, 20 Jun 2002 dullienat_private wrote:
    > Please excuse if this is gibberish as it is coming from a Win-centric
    > programmer who does not know much about signals, but
    > has anyone actually tried to exploit memcpy(heapaddr, src, negative)
    > by triggering signals on time? Doesn't the signal handler restart
    > certain functions after it is done ?
    Signal handlers, in some circumstances, restart blocking syscalls that
    were due when the signal was delivered. They do not restart library (=
    user space) code. This code is simply continued.
    This is not to say that delivering signals is not the way to exploit
    problems like that - conditions that would otherwise lead directly to SEGV
    because of access to non-allocated memory, for example. Quite
    (un)fortunately, there are only two signals that could be perhaps
    delivered to Apache (which, keep in mind, is running as a standalone
    daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the
    handler does something interesting, which I'm not so sure about (but
    haven't looked in a while).
