Re[2]: Apache Exploit

From: Michal Zalewski (lcamtufat_private)
Date: Thu Jun 20 2002 - 15:40:55 PDT

  • Next message: Michal Zalewski: "Re: Apache Exploit"

    On Thu, 20 Jun 2002 dullienat_private wrote:
    
    > Please excuse if this is gibberish as it is coming from a Win-centric
    > programmer who does not know much about signals, but
    > has anyone actually tried to exploit memcpy(heapaddr, src, negative)
    > by triggering signals on time? Doesn't the signal handler restart
    > certain functions after it is done ?
    
    Signal handlers, in some circumstances, restart blocking syscalls that
    were due when the signal was delivered. They do not restart library (=
    user space) code. This code is simply continued.
    
    This is not to say that delivering signals is not the way to exploit
    problems like that - conditions that would otherwise lead directly to SEGV
    because of access to non-allocated memory, for example. Quite
    (un)fortunately, there are only two signals that could be perhaps
    delivered to Apache (which, keep in mind, is running as a standalone
    daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the
    handler does something interesting, which I'm not so sure about (but
    haven't looked in a while).
    
    -- 
    _____________________________________________________
    Michal Zalewski [lcamtufat_private] [security]
    [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    =-=> Did you know that clones never use mirrors? <=-=
              http://lcamtuf.coredump.cx/photo/
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 16:00:50 PDT