Re: memcpy with negative length and destination on heap - exploitable?
From: dullien@gmx.deDate: 12/26/01
- Previous message: KF: "wget core dumps"
- In reply to: 3APA3A: "memcpy with negative length and destination on heap - exploitable?"
- Next in thread: 3APA3A: "Re[2]: memcpy with negative length and destination on heap - exploitable?"
- Reply: 3APA3A: "Re[2]: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Dec 2001 07:13:30 -0800 From: dullien@gmx.de To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Hey 3APA3A,
3> Theoretically, are there are any situations, then it's possible to
3> exploit this kind of bug:
3> char src[FEW * KB_OF_DATA], * dst;
3> get_user_input(src, sizeof(src));
3> len = src[POSITION]; /* char is signed and can be negative! */
3> dst = malloc(256);
3> memcpy(dst, src + POSITION + 1, len);
3> len is too long then converted to size_t and memcpy will crash... Is
3> it possible to avoid it if destination buffer is on heap? Program is
3> available on all possible platforms :)
Normally, no -- unless of course the application handle's it's own
segfault and issues either a malloc() or a free() on the corrupted
heap.
If it happens on the stack (under NT), you might be able to overwrite
SEH structures before segfaulting and thus gain control.
Auditing ISC code, eh ? ;)
Cheers,
dullien@gmx.de
-- Mit freundlichen Grüssen dullien@gmx.de mailto:dullien@gmx.de
- Previous message: KF: "wget core dumps"
- In reply to: 3APA3A: "memcpy with negative length and destination on heap - exploitable?"
- Next in thread: 3APA3A: "Re[2]: memcpy with negative length and destination on heap - exploitable?"
- Reply: 3APA3A: "Re[2]: memcpy with negative length and destination on heap - exploitable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
