Vulnerability Development: Re: Apache Exploit

[Ben Laurie <ben () algroup co uk>]

Stefan Esser wrote:
> On Fri, Jun 21, 2002 at 10:15:09AM +0100, Ben Laurie wrote:
>
> > Stefan Esser wrote:
> >
> > > including the supplied paramters (dst, src, length). With up to
> > > 3 bytes ([1]) depending on alignment. if you align everything perfectly
> > > you can set the 3 high bytes of length to zero and so change how many
> > > dwords memcpy tries to copy in our case 0x000000?? 
> > I should just point out the slight error in this analysis - in fact, the 
> > exploit only overwrites two bytes of the length (incidentally, the 
>
> Hi Ben,
>
> i never said that i was analysing the exploit when writing the part above,
> infact i just saw what he did (without checking any offsets). I immediantly
> recognised that he abuses this flaw in the memcpy routine. I knew this
> technique before he demonstrated that the so called experts were wrong.
> But those experts also told the world that the php fileupload vulnerability
> would be to hard to exploit in the wild...
>
> If he overwrites only 2 bytes then it is his problem. If the alignment is
> perfect (and you can make it perfect with apache) you can write up to
> 3 bytes. 
Indeed. In fact, he wanted to only overwrite 2 bytes, so it isn't really 
a problem.
Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff