Re: Apache Exploit

From: Stefan Esser (sesserat_private)
Date: Thu Jun 20 2002 - 09:26:30 PDT

Next message: Blue Boar: "Re: Apache Exploit"

Previous message: Skot: "Re: procmail heap overflow"
Next in thread: dullienat_private: "Re[2]: Apache Exploit"
Next in thread: Stefan Esser: "Apache Exploit"
Next in thread: Blue Boar: "Re: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 20, 2002 at 08:12:54PM +0400, 3APA3A wrote:
> 
> Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
> loop. It copies supplied parameters to register variables
> 
>         register char *dst = dst0;
>         register const char *src = src0;
>         register size_t t;
> 
> before starting this loop and never back to original values. It makes it
> impossible to exploit this vulnerability in a way you described.

Sorry, but the code was directly taken from FreeBSD cvs. You can look as
long you want into the generic bcopy.c file. For x86 you must look at the
assembler implementation. And this is what runs on x86. Beside that I 
tested this on FreeBSD and it worked like a charm. 

Stefan Esser - e-matters Security

>

Next message: Blue Boar: "Re: Apache Exploit"
Previous message: Skot: "Re: procmail heap overflow"
Next in thread: dullienat_private: "Re[2]: Apache Exploit"
Next in thread: Stefan Esser: "Apache Exploit"
Next in thread: Blue Boar: "Re: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 09:51:54 PDT