Re: Apache Exploit

From: Ben Laurie (benat_private)
Date: Tue Jun 25 2002 - 07:00:33 PDT

  • Next message: Jan Gruber: "OpenSSH advisory"

    Stefan Esser wrote:
    > On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:
    > 
    >>Stefan Esser wrote:
    >>
    >>>including the supplied paramters (dst, src, length). With up to
    >>>3 bytes ([1]) depending on alignment. if you align everything perfectly
    >>>you can set the 3 high bytes of length to zero and so change how many
    >>>dwords memcpy tries to copy in our case 0x000000?? 
    >>
    > 
    >>I should just point out the slight error in this analysis - in fact, the 
    >>exploit only overwrites two bytes of the length (incidentally, the 
    > 
    > 
    > Hi Ben,
    > 
    > i never said that i was analysing the exploit when writing the part above,
    > infact i just saw what he did (without checking any offsets). I immediantly
    > recognised that he abuses this flaw in the memcpy routine. I knew this
    > technique before he demonstrated that the so called experts were wrong.
    > But those experts also told the world that the php fileupload vulnerability
    > would be to hard to exploit in the wild...
    > 
    > If he overwrites only 2 bytes then it is his problem. If the alignment is
    > perfect (and you can make it perfect with apache) you can write up to
    > 3 bytes. 
    
    Indeed. In fact, he wanted to only overwrite 2 bytes, so it isn't really 
    a problem.
    
    Cheers,
    
    Ben.
    
    -- 
    http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
    
    "There is no limit to what a man can do or how far he can go if he
    doesn't mind who gets the credit." - Robert Woodruff
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:45:53 PDT