Vulnerability Development mailing list archives
Re: Must coredump? No. (Was: Local root through vuln...)
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Thu, 24 Aug 2000 02:00:13 +0200
Thinking of it, the last assumption is a bit dangerous. I still think it to be true, but theoreticly a data overflow could do something really funny - like overwriting a formation string. Exploiting one vulnerability to exploit yet another :)
Wrote a demo of this idea. It's rather obvious but I simply didn't fall to sleep until I did it. Probably real applications aren't this obviously vulnerable, but some may have similar bugs less obvious... Notice that the first vulnerability, the overflowable data, doesn't actually cause any coredump while sizes are <204. In a more complex program, maybe this had been missed or it wouldn't have coredumped at all. I guess it depends on the source, the compiler, the architecture and god knows what else. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team [bluefish@blue playground]$ cat vuln_do.c #include <stdio.h> main() { char s1[100],s2[100]; strcpy(s1,"This example should demonstrate a dataoverflow\n"); gets(s2); // overflowable...... printf(s1); } [bluefish@blue playground]$ gcc -o vuln_do vuln_do.c /tmp/ccteQVjy.o: In function `main': /tmp/ccteQVjy.o(.text+0x22): the `gets' function is dangerous and should not be used. [bluefish@blue playground]$ echo "" | ./vuln_do This example should demonstrate a dataoverflow [bluefish@blue playground]$ perl -e 'print"A"x100 . "This is exploitable, eh?";' | ./vuln_do This is exploitable, eh? [bluefish@blue playground]$ perl -e 'print"A"x100 . "Lets try formatation bug! %s%s%s%s%s";' | ./vuln_do [bluefish@blue playground]$ strings core | grep AAA AAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALets try formatation bug! %s%s%s%s%s AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALets try formatation bug! %s%s%s%s%s
Current thread:
- Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 23)
- Re: Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 23)
- Re: Must coredump? No. (Was: Local root through vuln...) Daniel Jacobowitz (Aug 24)
- Re: Must coredump? No. (Was: Local root through vuln...) Bluefish (P.Magnusson) (Aug 25)