Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Safari HTTPS Overflow

from [David Riley] Network Security [Permanent Link]
Subject: Re: Safari HTTPS Overflow
Date: Thu, 28 Apr 2005 22:19:26 -0400
I don't think this is an overflow. According to gdb, the spin lock from CFSocketEnableCallBacks is crashing. Backtracing to the call of CFSocketEnableCallBacks, I see that the two parameters (a CFSocket pointer and a set of binary flags, respectively) are:

r3             0x0      0
r4             0x9      9

Thus CFSocketEnableCallBacks is being passed a NULL pointer (and, for what it's worth, the flags are kCFSocketReadCallBack and kCFSocketWriteCallBack). Why it crashes in the spinlock, I'm not sure, but I imagine it might have to do with gdb not behaving nicely with threads.

In any case, since I don't see any registers getting overwritten with either 0x41 or 0x61 (since Safari converts it to lowercase), I don't really see an overflow. It's a crash which you might want to report to Apple, but it seems like it's probably just a case of dereferencing a NULL pointer.

I think what's happening is that some handler somewhere for the URL is seeing an overly large buffer and rejects it with a NULL pointer somewhere for the socket which isn't checked for appropriately.

Thanks,
        David

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DEF CON - New CTF Organizers chosen!, The Dark Tangent
Next by Date:  Re: Safari HTTPS Overflow, Braden Thomas
Previous by Thread:  Safari HTTPS Overflow, Gilbert Verdian
Next by Thread:  Re: Safari HTTPS Overflow, Braden Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]