Re: remote overflow detail

From: ghandi (ghandiat_private)
Date: Tue Nov 06 2001 - 16:40:41 PST

Next message: RT: "PERL based MS-SQL username/password checker"

Previous message: Baron Samedi: "RE: .NET Passport: WALLET SERVICE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After working a bit on this and discussing it off-list, we found the
problem.  Recall the portion of of server code:

void backup(char* bkFromName, int nmlen)
{
        inbackup(bkFromName, nmlen);
}

void inbackup(char *bkFromName, int nmlen)
{
   char tempDir[12];

   memcpy(tempDir,bkFromName, nmlen);
}

The problem is that between where makemsg_1 calls backup and the memcpy in
inbackup, the register windows aren't being flushed to the stack and the
overflow isn't overwriting any saved registers (as Dave Aitel suggested
and I doubted, my apologies).

Several things would cause the register windows to be written out: a
window overflow trap, a process context switch, or a mode switch.  If
the function call graph from inbackup goes deeper than the number of
windows (from 3 to 32, but usually around 10), then inbackup's register
window will be written to the stack.  A process context switch will also
do this, but as there is very little work done before the memcpy, the
chance of a context switch happening is very slim.  Also, any system call
(or a library function that uses one) would cause a mode switch to the
kernel and all the processes' windows will be written out.  Putting a
printf() or getuid() before the memcpy is enough to make the overflow
work.

Most of the techniques described previously (loading a machine down and
writing a ton of return addresses) are meant to overcome situations where
a context switch or mode switch isn't happening.  Loading the machine down
increases the probability of a context switch in the critical section
before the overflow.  Writing a ton of return addresses attempts to
overwrite the saved program counter of any saved register window up the
stack (anywhere 3-32 frames spaces up).  In this case, however, the best
solution was making the vulnerable server actually do some work before the
memcpy (this would most likely be the case in a real vulnerable server
anyway).

--
	   ghandi / ghandiat_private / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
	  C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F

Next message: RT: "PERL based MS-SQL username/password checker"
Previous message: Baron Samedi: "RE: .NET Passport: WALLET SERVICE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 14:11:37 PST