Re: hardware protection for format string attacks

From: Juliano Rizzo (core.lists.exploit-dev@core-sdi.com)
Date: Wed Nov 28 2001 - 16:13:17 PST

Next message: U dong-houn: "Re: Pine, Pico, Pilot Program Overflow bug."

Previous message: John Scimone: "Re: Audiogalaxy again (Cross Site Scripting Vuln)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mariusz Woloszyn wrote:
> 
> Does anyone successfuly exploited any format string vulnerability on
> PA-RISC architecture (on any other archjitecture with aligned memory
> access)???

Yes and there are publicly available exploits for these architectures
(wuftpd site exec, irix telnetd)

> I mean: does architecture here prevents from exploiting it?
> Format string exploitation using %n requires (let's say) 4 unaligned
> memory writes to overwrite address in memory. If i try to write to
> unaligned address i'm getting SIGBUS.
> 

Actually, you have several ways to write values to memory using format
strings, you 
can use one %n, four %n, two %hn, etc. Different combinations of these
format modifiers
will let you overcome the limitations you proposed.

--- for a personal reply use: Juliano Rizzo <juliano.rizzoat_private>

Next message: U dong-houn: "Re: Pine, Pico, Pilot Program Overflow bug."
Previous message: John Scimone: "Re: Audiogalaxy again (Cross Site Scripting Vuln)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 16:41:19 PST