Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability

from [ktha] Network Security [Permanent Link]
Subject: Re: [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability
Date: Tue, 24 Aug 2004 03:50:37 -0700 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I think that the isprint() check is NOT limiting the exploitation of
this bug at all. You can still exploit this vulnerability by overwriting
stack frames (you can read more about it here: 
http://www.phrack.org/show.php?p=59&a=7)
and by using the shellcode as the password field which will be located
on the heap. So, this would be exploitable even on no-exec stacks. There
are some limitations of this technique, it does not work on latest Linux
glibcs, but on FreeBSD and Solaris is doable.
I've attached a first version of my exploit for this vulnerability; it
was tested on a FreeBSD 4.10-RELEASE, thanks to andrewg.


this can't be exploited to execute code, as any non printable characters

are

turned into '.' before the buffer is passed to fprintf().  well actually,

 if

there is some platform where the relevant addresses can be reached with

only

printable characters it's possible, but i'm not aware of any such platform.




Andrei Catalin aka ktha
   ktha at hush dot com

[ Need a challenge ?                  ]
[    Visit http://www.pulltheplug.com ]
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkErHYEACgkQsV/nUjPdEq5v3ACghGvRGHH0swz60I0V9d6wq66j8rYA
oKmE0Amk48PZ7wgEkbT851sl0fJA
=N/5B
-----END PGP SIGNATURE-----

Attachment: sm00ny-courier_imap_fsx.c
Description: Binary data

Attachment: sm00ny-courier_imap_fsx.c.sig
Description: Text document

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability, ktha <=
Previous by Date:  Possible Security Issues In LiveWorld Products, GulfTech Security
Next by Date:  PHP Code Snippet Library Multiple Cross-Site Scripting (XSS) Vulnerabilities, Nikyt0x Argentina
Previous by Thread:  Possible Security Issues In LiveWorld Products, GulfTech Security
Next by Thread:  PHP Code Snippet Library Multiple Cross-Site Scripting (XSS) Vulnerabilities, Nikyt0x Argentina
Indexes:  [Date] [Thread] [Top] [All Lists]