Re: Buffer overflow in Dovecot or OpenSSL?

From: Timo Sirainen (tssat_private)
Date: Wed Apr 09 2003 - 07:50:11 PDT

Next message: Aaron C. Newman (Application Security, Inc.): "POC Heap based buffer overflow"

Previous message: 3APA3A: "Re: Buffer overflow in Dovecot or OpenSSL?"
In reply to: 3APA3A: "Re: Buffer overflow in Dovecot or OpenSSL?"
Next in thread: Aaron C. Newman (Application Security, Inc.): "POC Heap based buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-04-09 at 15:38, 3APA3A wrote:
> Dear Timo Sirainen,
> 
> You're right, the fact EIP points inside the stack should indicate large
> problems.  But  the  string  at EIP doesn't look to be shellcode or it's
> part.

Shellcode could have been before or after it, because of stack base
randomization.

>  How many entries do you have in the log?

Just one, which I think means that either the attacker tried not to look
suspicious, or just that it was some random bug that triggered the first
time.

>  Do you have stackdump?

No, PAX killed it with SIGKILL so I couldn't debug it at all.

I'm anyway pretty sure that this wasn't caused at least directly by my
code. There's very few buffers in stack, and they're all written to with
bounds checking so even corrupted heap shouldn't cause this.

Next message: Aaron C. Newman (Application Security, Inc.): "POC Heap based buffer overflow"
Previous message: 3APA3A: "Re: Buffer overflow in Dovecot or OpenSSL?"
In reply to: 3APA3A: "Re: Buffer overflow in Dovecot or OpenSSL?"
Next in thread: Aaron C. Newman (Application Security, Inc.): "POC Heap based buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 09 2003 - 08:09:55 PDT