Vulnerability Development mailing list archives

Re: Re[2]: Apache Exploit

From: SpaceWalker <spacewalker () altern org>
Date: Fri, 21 Jun 2002 01:29:24 +0200

I took a look, and I was unable to send any of those two signals to apache during the faulty memcpy().

On Thu, 20 Jun 2002 18:40:55 -0400 (EDT)
Michal Zalewski <lcamtuf () coredump cx> wrote:
...

This is not to say that delivering signals is not the way to exploit
problems like that - conditions that would otherwise lead directly to SEGV
because of access to non-allocated memory, for example. Quite
(un)fortunately, there are only two signals that could be perhaps
delivered to Apache (which, keep in mind, is running as a standalone
daemon) - SIGPIPE and SIGURG - that is, if they are not ignored and if the
handler does something interesting, which I'm not so sure about (but
haven't looked in a while).

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

Current thread:

Re: Apache Exploit, (continued)
- - - Re: Apache Exploit T0aD (Jun 22)
    - Re: Apache Exploit Alex Balayan (Jun 23)
    - Re: Apache Exploit Randy Taylor (Jun 24)
    - Re[2]: Apache Exploit dullien (Jun 26)
- Re: Apache Exploit 3APA3A (Jun 20)
  - Re: Apache Exploit Stefan Esser (Jun 20)
  - Re[2]: Apache Exploit dullien (Jun 20)
    - Re[2]: Apache Exploit Michal Zalewski (Jun 20)
    - Re: Apache Exploit Jefferson Ogata (Jun 20)
    - Re: Apache Exploit Michal Zalewski (Jun 21)
    - Re: Re[2]: Apache Exploit SpaceWalker (Jun 20)
- Re: Apache Exploit Ben Laurie (Jun 21)
  - Re: Apache Exploit Stefan Esser (Jun 21)
    - Re: Apache Exploit Ben Laurie (Jun 26)