Re[2]: Apache Exploit

From: dullienat_private
Date: Thu Jun 20 2002 - 12:29:30 PDT

  • Next message: Artur Byszko / bikero: "Re: procmail heap overflow"

    Hey Stefan, 3APA3A
    
    3> Nearly  same  bug  was  in  many RADIUS servers (but with destination on
    3> heap, it makes it impossible to exploit it). So, I've started discussion
    3> about  it  on  vuln-dev some time ago . See "memcpy with negative length
    3> and      destination      on     heap     -     exploitable?"     thread
    3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1
    3> specially
    3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2
    
    Please excuse if this is gibberish as it is coming from a Win-centric
    programmer who does not know much about signals, but
    has anyone actually tried to exploit memcpy(heapaddr, src, negative)
    by triggering signals on time ? Doesn't the signal handler restart
    certain functions after it is done ? Once the heap is garbled any heap
    operation can have nasty consequences, so if these functions which are
    restarted manipulate the heap one could be in business.
    
    Cheers,
    dullienat_private
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 13:36:23 PDT