On Thu, 20 Jun 2002 dullienat_private wrote: > Please excuse if this is gibberish as it is coming from a Win-centric > programmer who does not know much about signals, but > has anyone actually tried to exploit memcpy(heapaddr, src, negative) > by triggering signals on time? Doesn't the signal handler restart > certain functions after it is done ? Signal handlers, in some circumstances, restart blocking syscalls that were due when the signal was delivered. They do not restart library (= user space) code. This code is simply continued. This is not to say that delivering signals is not the way to exploit problems like that - conditions that would otherwise lead directly to SEGV because of access to non-allocated memory, for example. Quite (un)fortunately, there are only two signals that could be perhaps delivered to Apache (which, keep in mind, is running as a standalone daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the handler does something interesting, which I'm not so sure about (but haven't looked in a while). -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 16:00:50 PDT