Apache Exploit

From: Stefan Esser (sesser@php.net)
Date: 06/20/02

• Previous message: hellNbak: "RE: Apache Worm?"
• Next in thread: Stefan Esser: "Re: Apache Exploit"
• Reply: Stefan Esser: "Re: Apache Exploit"
• Reply: Blue Boar: "Re: Apache Exploit"
• Reply: 3APA3A: "Re: Apache Exploit"
• Reply: Stefan Esser: "Re: Apache Exploit"
• Reply: Ben Laurie: "Re: Apache Exploit"
• Reply: Randy Taylor: "Re: Apache Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 20 Jun 2002 10:30:48 +0200
From: Stefan Esser <sesser@php.net>
To: bugtraq@securityfocus.com

Hi,

i heard several people looking at the gobbles exploit and believing it
can only be fake:

here is my little explanation how bsd memcpy can be exploited:

first a snipset of the bsd memcpy code:

...
1:
        addl %ecx,%edi /* copy backwards. */
        addl %ecx,%esi
        std
[1] andl $3,%ecx /* any fractional bytes? */
        decl %edi
        decl %esi
        rep
        movsb
[X] movl 20(%esp),%ecx /* copy remainder by words */
        shrl $2,%ecx
        subl $3,%esi
        subl $3,%edi
        rep
        movsl
...

In Apache we trigger exactly this piece of code: bsd thinks the two
buffers are overlapping and so it wants to copy backward.
The problem is that you are able to overwrite the call to memcpy
including the supplied paramters (dst, src, length). With up to
3 bytes ([1]) depending on alignment. if you align everything perfectly
you can set the 3 high bytes of length to zero and so change how many
dwords memcpy tries to copy in our case 0x000000??
This is only possible because the code reads the length param again from
stack [X]... This way you can easily survive the call and overwrite
the saved instruction pointer before the memcpy call...

just my 0.02 cents

Stefan Esser - e-matters Security

---

• Previous message: hellNbak: "RE: Apache Worm?"
• Next in thread: Stefan Esser: "Re: Apache Exploit"
• Reply: Stefan Esser: "Re: Apache Exploit"
• Reply: Blue Boar: "Re: Apache Exploit"
• Reply: 3APA3A: "Re: Apache Exploit"
• Reply: Stefan Esser: "Re: Apache Exploit"
• Reply: Ben Laurie: "Re: Apache Exploit"
• Reply: Randy Taylor: "Re: Apache Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Apache Exploit ... > here is my little explanation how bsd memcpy can be exploited: ... This way you can easily survive the call and overwrite ... length is also constrained to be its own stack offset, ... (Vuln-Dev) Re: Apache Exploit ... > here is my little explanation how bsd memcpy can be exploited: ... This way you can easily survive the call and overwrite ... length is also constrained to be its own stack offset, ... (Bugtraq) Apache Exploit ... here is my little explanation how bsd memcpy can be exploited: ... The problem is that you are able to overwrite the call to memcpy ... (Bugtraq) stack exploits, was: AMD 64-bit w/o paging? ... overwrite return address with code-on-stack, ... overwrite stack with code. ... also eventual return address of memcpy) ... complex system you can usually find an equivalent function at a fixed ... (alt.lang.asm) [PATCH] Fix triplefault on x86-64 bootup ... was rebooting in a loop. ... to apply alternative to memcpy by using that every same memcpy... ... So let's overwrite only ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-06