Re: Apache Exploit

From: 3APA3A (3APA3A@SECURITY.NNOV.RU)
Date: 06/20/02


Date: Thu, 20 Jun 2002 20:12:54 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: Stefan Esser <sesser@php.net>

Dear Stefan Esser,

--Thursday, June 20, 2002, 12:30:48 PM, you wrote to bugtraq@securityfocus.com:

SE> here is my little explanation how bsd memcpy can be exploited:

SE> ...
SE> 1:
SE> addl %ecx,%edi /* copy backwards. */
SE> addl %ecx,%esi
SE> std
SE> [1] andl $3,%ecx /* any fractional bytes? */
SE> decl %edi
SE> decl %esi
SE> rep
SE> movsb
SE> [X] movl 20(%esp),%ecx /* copy remainder by words */
SE> shrl $2,%ecx
SE> subl $3,%esi
SE> subl $3,%edi
SE> rep
SE> movsl
SE> ...

SE> In Apache we trigger exactly this piece of code: bsd thinks the two
SE> buffers are overlapping and so it wants to copy backward.
SE> The problem is that you are able to overwrite the call to memcpy
SE> including the supplied paramters (dst, src, length). With up to

Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
loop. It copies supplied parameters to register variables

        register char *dst = dst0;
        register const char *src = src0;
        register size_t t;

before starting this loop and never back to original values. It makes it
impossible to exploit this vulnerability in a way you described.

Nearly same bug was in many RADIUS servers (but with destination on
heap, it makes it impossible to exploit it). So, I've started discussion
about it on vuln-dev some time ago . See "memcpy with negative length
and destination on heap - exploitable?" thread
http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1
specially
http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2

-- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)