Re[2]: Apache Exploit

From: dullienat_private
Date: Thu Jun 20 2002 - 12:29:30 PDT

Next message: Artur Byszko / bikero: "Re: procmail heap overflow"

Previous message: Stefan Esser: "Apache Exploit"
In reply to: 3APA3A: "Re: Apache Exploit"
Next in thread: Michal Zalewski: "Re[2]: Apache Exploit"
Next in thread: Stefan Esser: "Apache Exploit"
Reply: Michal Zalewski: "Re[2]: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Stefan, 3APA3A

3> Nearly  same  bug  was  in  many RADIUS servers (but with destination on
3> heap, it makes it impossible to exploit it). So, I've started discussion
3> about  it  on  vuln-dev some time ago . See "memcpy with negative length
3> and      destination      on     heap     -     exploitable?"     thread
3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1
3> specially
3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2

Please excuse if this is gibberish as it is coming from a Win-centric
programmer who does not know much about signals, but
has anyone actually tried to exploit memcpy(heapaddr, src, negative)
by triggering signals on time ? Doesn't the signal handler restart
certain functions after it is done ? Once the heap is garbled any heap
operation can have nasty consequences, so if these functions which are
restarted manipulate the heap one could be in business.

Cheers,
dullienat_private

Next message: Artur Byszko / bikero: "Re: procmail heap overflow"
Previous message: Stefan Esser: "Apache Exploit"
In reply to: 3APA3A: "Re: Apache Exploit"
Next in thread: Michal Zalewski: "Re[2]: Apache Exploit"
Next in thread: Stefan Esser: "Apache Exploit"
Reply: Michal Zalewski: "Re[2]: Apache Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 13:36:23 PDT