Dear Stefan Esser, --Thursday, June 20, 2002, 12:30:48 PM, you wrote to bugtraqat_private: SE> here is my little explanation how bsd memcpy can be exploited: SE> ... SE> 1: SE> addl %ecx,%edi /* copy backwards. */ SE> addl %ecx,%esi SE> std SE> [1] andl $3,%ecx /* any fractional bytes? */ SE> decl %edi SE> decl %esi SE> rep SE> movsb SE> [X] movl 20(%esp),%ecx /* copy remainder by words */ SE> shrl $2,%ecx SE> subl $3,%esi SE> subl $3,%edi SE> rep SE> movsl SE> ... SE> In Apache we trigger exactly this piece of code: bsd thinks the two SE> buffers are overlapping and so it wants to copy backward. SE> The problem is that you are able to overwrite the call to memcpy SE> including the supplied paramters (dst, src, length). With up to Do not say bsd. At least FreeBSD doesn't use supplied parameters in main loop. It copies supplied parameters to register variables register char *dst = dst0; register const char *src = src0; register size_t t; before starting this loop and never back to original values. It makes it impossible to exploit this vulnerability in a way you described. Nearly same bug was in many RADIUS servers (but with destination on heap, it makes it impossible to exploit it). So, I've started discussion about it on vuln-dev some time ago . See "memcpy with negative length and destination on heap - exploitable?" thread http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1 specially http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2 -- ~/ZARAZA Бросьте стараться - ничего из этого не выйдет. (Твен)
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 11:10:44 PDT