|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: another Xlib buffer overflow
From: Robert van der Meulen (rvdm
CISTRON.NL)Date: Fri Oct 13 2000 - 21:03:13 CDT
- Next message: Nu Omega Tau: "WinU Backdoor passwords!!!!"
- Previous message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] New version of curl fixes buffer overflow (update)"
- Next in thread: Michal Zalewski: "Re: another Xlib buffer overflow"
- Maybe reply: Robert van der Meulen: "Re: another Xlib buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting Michal Zalewski (lcamtufdione.ids.pl):
> On Sat, 14 Oct 2000, Robert van der Meulen wrote:
> > ii xserver-svga 3.3.6-10 X server for SVGA graphics cards
> > <rvdmcrypt:~> export DISPLAY=`perl -e '{print "0" x 128}'`
> Couldn't see ':' there.
It's late at night, and i'm stupid ;)
I've been looking a bit further into this. This actually _does_ trigger
segfaults on both woody and potato.
The problem is, that the display number can only contain numeric values
(Xlib does check _that_). This seriously limits possibilities for inserting
shellcode. With only the hexvalues of '0' to '9' an actual shellcode isn't
possible, but jumping to different addresses is possible.
Greets,
Robert van der Meulen / Emphyrio
-- | rvdm
- Next message: Nu Omega Tau: "WinU Backdoor passwords!!!!"
- Previous message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] New version of curl fixes buffer overflow (update)"
- Next in thread: Michal Zalewski: "Re: another Xlib buffer overflow"
- Maybe reply: Robert van der Meulen: "Re: another Xlib buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]