[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflow/privilege escalation in MacOS X

To: "Dave G." <daveg@atstake.com>
Subject: Re: Buffer overflow/privilege escalation in MacOS X
From: Mariusz Woloszyn <emsi@ipartners.pl>
Date: Tue, 16 Dec 2003 19:15:13 +0100 (CET)

On Mon, 15 Dec 2003, Dave G. wrote:

> Indeed.  However, due to several mitigating factors, this issue doe not
> appear to be exploitable (at least not with any of the techniques I am
> aware of).  The overflow occurs in main() and there is an unavoidable
> exit() at the end of the function.  So while you can overwrite the
> return stack frame, the process will never use your new value.
>
But you overflow local varialbles, argc and argv**, so if the program ever
uses it after the overflow, it might be possible to expoit it, _before_
exit().

See: http://www.phrack.org/show.php?p=56&a=5, at the end of "Oily way"
part. We explained there how to exploit a code protected with a compiler
placing a canary word before the RET. Of course a couple of conditions
must be fulfilled.

Regards,

-- 
Mariusz Wołoszyn
Internet Security Specialist, GTS - Internet Partners

References:
- Re: Buffer overflow/privilege escalation in MacOS X
  - From: "Dave G." <daveg@atstake.com>

Prev by Date: Microsoft's plans for making XP more secure
Next by Date: ms03-043
Previous by thread: Re: Buffer overflow/privilege escalation in MacOS X
Next by thread: Re: Buffer overflow/privilege escalation in MacOS X
Index(es):
- Date
- Thread