|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Buffer overflow/privilege escalation in MacOS X
From: Seth Arnold (sarnold
wirex.com)
Date: Tue Dec 16 2003 - 11:39:48 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Dec 15, 2003 at 05:48:21PM -0500, Dave G. wrote:
> The overflow occurs in main() and there is an unavoidable exit() at
> the end of the function. So while you can overwrite the return stack
> frame, the process will never use your new value.
Are you sure about this? exit(3) will perform cleanup functionality with
at least stdio streams before calling exit(2). If FILE * are located in
the same autovariable space as the overflowed buffer, there exists the
possibility those stream pointers have been smashed; if those stream
pointers have been smashed, I would NOT be confident in claiming this
buffer overflow poses no problem.
Remember that the latest OpenSSH vulnerabilities relied on the cleanup
behaviour embedded throughout the code. (A call to a fatal-death
function wasn't as fatal as the name would indicate. Oops.)
--
A: No.
Q: Should I include quotations after my reply?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/30Nj+9nuM9mwoJkRAsRjAKCUOQgVIDAqhvnz6+BlOXUbVIMYbACeKryH
6ikzSQXNyUPKVLfP5XaDO6g=
=nFrV
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]