[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CAN-2004-0488


On Sat, Jun 12, 2004 at 07:58:21PM -0600, Anthony Roberts wrote:
>"Stack-based buffer overflow in the 
>ssl_util_uuencode_binary function in ssl_util.c for 
>Apache mod_ssl, when mod_ssl is configured to trust 
>the issuing CA, may allow remote attackers to execute 
>arbitrary code via a client certificate with a long 
>subject DN."

>Do ProPolice or W^X impact this?

>One assumes that if the buffer in question is on the stack ProPolice will catch it...

ProPolice works by putting a random dummy value between the local
variables' area and the return address, so if you overrun a buffer
to overwrite the return value (to have the program jump to some code
determined by the attacker), you have to guess the right value (as that
dummy value is checked before return from the function). Dunno how
long that "canary" is, I'd guess 32 bits. So that's a 1:2^32 chance
there. In addition, most attacks try to have the code "return" to
code in the buffer just overwritten, i.e. on the stack. However,
that isn't executable thanks to W^X. So to succeed, an attacker
would have to guess at least one canary value (1:2^32) *and* code
e.g. a return-to-libc attack (which is by itself difficult because
library load addresses are randomized again, i.e. you have to guess the
random load address of the shared libc, too, unless you're attacking
a statically linked binary).

So most likely what's an exploit elsewhere will end up as a denial
of service attack on OpenBSD.

Kind regards,