Vulnerability Development: Re: Apache Exploit

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Stefan Esser,


--Thursday, June 20, 2002, 12:30:48 PM, you wrote to bugtraq () securityfocus com:

SE> here is my little explanation how bsd memcpy can be exploited:

SE> ...
SE> 1:
SE>         addl    %ecx,%edi       /* copy backwards. */
SE>         addl    %ecx,%esi
SE>         std
SE> [1]     andl    $3,%ecx         /* any fractional bytes? */
SE>         decl    %edi
SE>         decl    %esi
SE>         rep
SE>         movsb
SE> [X]     movl    20(%esp),%ecx   /* copy remainder by words */
SE>         shrl    $2,%ecx
SE>         subl    $3,%esi
SE>         subl    $3,%edi
SE>         rep
SE>         movsl
SE> ...

SE> In Apache we trigger exactly this piece of code: bsd thinks the two
SE> buffers are overlapping and so it wants to copy backward.
SE> The problem is that you are able to overwrite the call to memcpy
SE> including the supplied paramters (dst, src, length). With up to

Do not say bsd. At least FreeBSD doesn't use supplied parameters in main
loop. It copies supplied parameters to register variables

        register char *dst = dst0;
        register const char *src = src0;
        register size_t t;

before starting this loop and never back to original values. It makes it
impossible to exploit this vulnerability in a way you described.

Nearly  same  bug  was  in  many RADIUS servers (but with destination on
heap, it makes it impossible to exploit it). So, I've started discussion
about  it  on  vuln-dev some time ago . See "memcpy with negative length
and      destination      on     heap     -     exploitable?"     thread
http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/1
specially
http://online.securityfocus.com/archive/82/247187/2002-06-17/2002-06-23/2

-- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)