Folks, It's very interesting that I run the same program on a Linux and on a AIX box, and only the Linux returns Segmentation fault: Linux SuSE 7.2 on a S/390 Mainframe # ./vulndev-1 `perl -e 'print "A"x253;print " ";print "B"x253;'` Segmentation fault (core dumped) # AIX 4.3.3 on a RS/6000 Risk # ./vulndev-1 `perl -e 'print "A"x253;print " ";print "B"x253;'` # Suggestions? Obrigado / Regards /* * Thiago Canozzo Lahr .:. IT Security Brazil * IBM Global Services .:. Email: tclahrat_private * T/L: 6839-7091 .:. Phone: +55 19 3887-7091 */ "Nexus" <nexusat_private-way.co.uk> 13/05/03 18:24 To: "xenophi1e" <oliver.laveryat_private>, <vuln-devat_private> cc: Subject: Re: Administrivia: List Announcement ----- Original Message ----- From: "xenophi1e" <oliver.laveryat_private> [snip] > Off-by-one. Third arg should be SIZE-1 to leave room for the terminating > NULL. This error should lead to a heap based vulnerability when the > memory is free()d. To take it one stage further, assuming the sample program is called buggy.c: (Using linux as debugging on win32 is not email friendly ;-) [nexus@wulfgar insecure]$ gcc buggy.c -g -o buggy [nexus@wulfgar insecure]$ ./buggy `perl -e 'print "A"x253;print " ";print "BBBBCCCC";'` Segmentation fault (core dumped) One byte over the buffer size of 252 for the first arg, so we get an exception - looking at what happened: [nexus@wulfgar insecure]$ gdb buggy core.966 GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... Core was generated by `./buggy AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x42074033 in _int_free () from /lib/i686/libc.so.6 There's the exception in free() as mentioned by xenophi1e, do we have any registers at all ? (gdb) info reg eax 0x43434343 1128481603 ecx 0x42424242 1111638594 edx 0x140 320 ebx 0x4212a2d0 1108517584 esp 0xbffff980 0xbffff980 ebp 0xbffff9a8 0xbffff9a8 esi 0x80495f0 134518256 edi 0x100 256 eip 0x42074033 0x42074033 [...] Yup - the second arg is overwriting eax and ecx on this x86 RH8 system, thus we can write arbitrary data into 2 registers. What can we do next ? Cheers.
This archive was generated by hypermail 2b30 : Wed May 14 2003 - 08:29:25 PDT