function pointer
is sufficient for exploitation.
After the increment, NT!KiDispatchException calls
NT!KeContextFromKframes and then NT!KiPreprocessFault, neither of
which makes notable use of GS. The next "CALL" instruction, "CALL
QWORD PTR [NT!KiDebugRoutine]", reads a function pointer global
variable that points to NT!KdpStub if the kernel is not being
debugged, or NT!KdpTrap if a kernel debugger is attached to the
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
is sufficient for exploitation.
After the increment, NT!KiDispatchException calls
NT!KeContextFromKframes and then NT!KiPreprocessFault, neither of
which makes notable use of GS. The next "CALL" instruction, "CALL
QWORD PTR [NT!KiDebugRoutine]", reads a function pointer global
variable that points to NT!KdpStub if the kernel is not being
debugged, or NT!KdpTrap if a kernel debugger is attached to the
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. Code execution is trivially achieved on the .wrf case because
WebEx Player allocates a function pointer on the stack that is
periodically used in what seems to be a callback mechanism, and also
because DEP and ASLR are not enabled. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
vulnerable installations of Sybase Adaptive Server Enterprise.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the way Sybase Backup and Monitor
servers handle certain data in the login packets. Malformed packets can
cause the service in question to lookup a function pointer outside a
predefined function pointer array. It is possible to set this function
pointer to an address where user controlled data exists and this will
result in code execution under the rights of the user running the
Monitor Server.
tries to call a function (at +2Ch on IE 6, +30h on IE 7) from the
vtable. This makes exploitability completely dependent on the
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
The mitigation works by replacing one function pointer in the vtable
with a pointer for which the low 2 bytes are 0xCCCC, but at which the
code is functionally equivalent. Legitimate virtual function calls
work will as usual, while exploitation attempts will arrive at EIP =
0xCCCCxxxx (not exploitable) rather than 0xyyyyxxxx (exploitable for
some yyyy).
pasting a publication into the Publisher program is one of the
recommended ways to troubleshoot a damaged publication in Publisher [1].
By modifying the .pub file it is possible to make the 'pubconv.dll'
library copy enough content from the file to the stack so as to
overwrite a function pointer that is later executed by the library.
As shown in the following extract from PubConv.dll, the call to
function 'sub_344EEB00' (1.1) returns a pointer to a WORD with the
size of the data to be copied from an intermediate buffer to the
stack. Instruction (1.2) shows that ECX is loaded with that 16-bit
regenrecht reported multiple vulnerabilities in various X server
extension via iDefense:
* The XFree86-Misc extension does not properly sanitize a parameter
within a PassMessage request, allowing the modification of a function
pointer (CVE-2007-5760).
* Multiple functions in the XInput extension do not properly sanitize
client requests for swapping bytes, leading to corruption of heap
memory (CVE-2007-6427).
A] code execution in SVUIGrd.ocx Save/LoadObject
------------------------------------------------
The aStream number of SaveObject and LoadObject methods available in
SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
function pointer:
02695b9d 8b00 mov eax,dword ptr [eax] ; controlled
02695b9f ff5004 call dword ptr [eax+4] ; execution
Explorer version is not affected.
The vulnerability occurs when Firefox attempts to navigate away from a
page and unload the PDF viewing plugin. When Firefox calls the plugin's
destroy method, the plugin does not properly free its resources.
Specifically, a function pointer for the window update routine is not
properly freed. This results in uninitialized memory being used when
the window is redrawn, which leads to attacker supplied data being
executed when the function pointer is dereferenced.
III. ANALYSIS
We must note that once the flaw has been triggered the for{} is
traversing invalid stack locations where *(edi+19h) points to
undetermined memory. We also have to take into account the internals of
the IO Manager where the memory allocated for the IRPs is zeroed.
Therefore, it has been proven that by allocating user-mode memory at 0x0
we can control the function pointer dereferenced.
However, that's not always true since we may be traversing uninitialized
memory that holds random values. For that cases, it is also possible to
seed the memory by issuing FSCTL/IOCTL requests before triggering the
flaw,thus we can assure a high reliability exploiting this flaw.
must open up a malicious file.
The vulnerability exists within the parsing of certain structures inside
a Notes container. During population of a C++ object when reading the
Notes container, Powerpoint incorrectly reads more data than was
allocated for overwriting a function pointer for the object which is
later used in a call from mso.dll. Successful exploitation can lead to
remote code execution under the credentials of the currently logged in
user.
application.
This vulnerability specifically exists in PowerPoint Viewer 2003 when
handling certain records in a PowerPoint presentation file. In some
circumstances, an array index can be directly controlled by data from
within the PowerPoint presentation file. Thus, a function pointer can
be directly controlled by the attacker and leveraged for arbitrary code
execution.
III. ANALYSIS
vulnerable installations of Novell eDirectory for Linux. Authentication
is not required to exploit this vulnerability.
The specific flaw exists in the libnldap library. When a large LDAP
delRequest message is sent, a stack overflow occurs overwriting a
function pointer. This results in a situation allowing the execution of
arbitrary code.
-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:
decremented in [6].
In my exploit, I use si_threadcount incrementation to modify kernel code in
devfs_fp_check(). Opcode at 0xc076c64b is "je" (0x74). After incrementation it
changes to 0x75, which is "jne". Such modification results in not calling
dev_relthread() at [6] and eventually leads to function pointer call in
devfs_kqfilter_f().
The following exploit code works only on default 7.2 kernel, due to hardcoded
addresses:
===========
Kees Cook from the Ubuntu Security Team reported that the
CairoFont::create() function in the file CairoFontEngine.cc does not
verify the type of an embedded font object inside a PDF file before
dereferencing a function pointer from it.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
them in /etc/ld.so.conf, but /lib and /usr/lib are the default paths. ]
If a ctors section has a size greater than 2 * wordsize, constructors have been
declared, and should be checked to see if they do anything interesting. An
empty list is 2 * wordsize bytes because it must still hold the two invalid
function pointers inserted into the list to mark list boundaries (alternatively
you could print the difference between the symbols __CTOR_LIST__ and
__CTOR_END__).
http://gcc.gnu.org/onlinedocs/gcc-2.95.3/gcc_17.html#SEC237
2.6 kernel:
The chip_command function in drivers/media/video/tvaudio.c in the
Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7,
and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of
service (NULL function pointer dereference and OOPS) via unknown
vectors. (CVE-2008-5033)
Stack-based buffer overflow in the hfs_cat_find_brec function
in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or system
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag.
In practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).
https://issues.rpath.com/browse/RPL-1590
Description:
Previous versions of the libvorbis package contain multiple
vulnerabilities, including a heap overwrite, read violations,
and a function pointer overwrite. An attacker may exploit
these vulnerabilities to cause a denial of service and,
possibly, to execute arbitrary code.
- ---
|
