Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [NETRAGARD-20060810 SECURITY ADVISORY] [HP Tru64 dtmail Unchecked Buffer - Local Root Compromise] [ http://www.netragard.com ]
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Fri, 20 Oct 2006 22:54:53 +0200

Hash: SHA1

Correction, TRU64 runs on Alphas in LSB mode. However, this bug is still
not exploitable. Sorry for the NETRAGARD-like fuckup :D

I didn't have time enough to test this, but at first sight it seems
perfectly exploitable.

Alpha is a "true" 64 bits RISC processor (both data & addressing being 64
bits), little-endian. A typical stack address is something like:
0x000000001ffff530 ( "\x30\xf5\xff\x1f\x01\x00\x00\x00" )

So yes, you have nulls (3, in this case), but at the end of the string :-)
You can try a typical string-alike buffer:
(stack variables are just before RET, you have not saved frame pointer
stored here)

Assuming a typical RET value (like the former one), your exploit should
rely on memory being "more or less clean", I mean, at least two nulls (the
third one is \0 terminator byte, you can insert it) should be exist in the
memory location where the attack string is being copied (well, at the end
of the string). Is this difficult? I don't think so (but I don't really
know for sure).

You can minimize the problem if you use longer RET addreses. For instance,
a typical address inside libc functions could be: 0x3ff800f3810 (so you
have two nulls, instead of three). You'd have to deal with only one
residual null value, instead of two. You can try this with a typical return
into libc exploit. This should be also sufficient (and useful) to avoid
non-executable stack protection, which is enabled by default in Tru64.

Well, that's the theory... :-)

- --

- -Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
Version: GnuPG v1.4.2.2 (MingW32)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]