|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Buffer overflow/privilege escalation in MacOS X
From: Mariusz Woloszyn (emsi
ipartners.pl)
Date: Tue Dec 16 2003 - 12:15:13 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 15 Dec 2003, Dave G. wrote:
> Indeed. However, due to several mitigating factors, this issue doe not
> appear to be exploitable (at least not with any of the techniques I am
> aware of). The overflow occurs in main() and there is an unavoidable
> exit() at the end of the function. So while you can overwrite the
> return stack frame, the process will never use your new value.
>
But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().
See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.
Regards,
--
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]