Re: Apache Exploit
From: Stefan Esser (sesser@php.net)Date: 06/20/02
- Previous message: Skot: "Re: procmail heap overflow"
- Maybe in reply to: Stefan Esser: "Apache Exploit"
- Next in thread: dullien@gmx.de: "Re[2]: Apache Exploit"
- Next in thread: Blue Boar: "Re: Apache Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Jun 2002 18:26:30 +0200 From: Stefan Esser <sesser@php.net> To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
On Thu, Jun 20, 2002 at 08:12:54PM +0400, 3APA3A wrote:
>
> Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
> loop. It copies supplied parameters to register variables
>
> register char *dst = dst0;
> register const char *src = src0;
> register size_t t;
>
> before starting this loop and never back to original values. It makes it
> impossible to exploit this vulnerability in a way you described.
Sorry, but the code was directly taken from FreeBSD cvs. You can look as
long you want into the generic bcopy.c file. For x86 you must look at the
assembler implementation. And this is what runs on x86. Beside that I
tested this on FreeBSD and it worked like a charm.
Stefan Esser - e-matters Security
>
- Previous message: Skot: "Re: procmail heap overflow"
- Maybe in reply to: Stefan Esser: "Apache Exploit"
- Next in thread: dullien@gmx.de: "Re[2]: Apache Exploit"
- Next in thread: Blue Boar: "Re: Apache Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
