Hey Stefan, 3APA3A 3> Nearly same bug was in many RADIUS servers (but with destination on 3> heap, it makes it impossible to exploit it). So, I've started discussion 3> about it on vuln-dev some time ago . See "memcpy with negative length 3> and destination on heap - exploitable?" thread 3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1 3> specially 3> http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2 Please excuse if this is gibberish as it is coming from a Win-centric programmer who does not know much about signals, but has anyone actually tried to exploit memcpy(heapaddr, src, negative) by triggering signals on time ? Doesn't the signal handler restart certain functions after it is done ? Once the heap is garbled any heap operation can have nasty consequences, so if these functions which are restarted manipulate the heap one could be in business. Cheers, dullienat_private
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 13:36:23 PDT