Next Page >>
function pointers
them in /etc/ld.so.conf, but /lib and /usr/lib are the default paths. ]
If a ctors section has a size greater than 2 * wordsize, constructors have been
declared, and should be checked to see if they do anything interesting. An
empty list is 2 * wordsize bytes because it must still hold the two invalid
function pointers inserted into the list to mark list boundaries (alternatively
you could print the difference between the symbols __CTOR_LIST__ and
__CTOR_END__).
http://gcc.gnu.org/onlinedocs/gcc-2.95.3/gcc_17.html#SEC237
either matches, the function fails with the error message "Invalid
parameters". However, this particular failure path skips a call that
initializes a local variable, an XDR structure. Before the handler
function returns--even in the event of failure--it retrieves the
'x_ops' pointer from the structure at offset +0x04 (32-bit) / +0x08
(64-bit), which points to a table of function pointers, and it then
calls the eighth function pointer, 'x_destroy', at offset +0x1C
(32-bit) / +0x38 (64-bit) within the table.
EXPLOITATION
is sufficient for exploitation.
After the increment, NT!KiDispatchException calls
NT!KeContextFromKframes and then NT!KiPreprocessFault, neither of
which makes notable use of GS. The next "CALL" instruction, "CALL
QWORD PTR [NT!KiDebugRoutine]", reads a function pointer global
variable that points to NT!KdpStub if the kernel is not being
debugged, or NT!KdpTrap if a kernel debugger is attached to the
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. Code execution is trivially achieved on the .wrf case because
WebEx Player allocates a function pointer on the stack that is
periodically used in what seems to be a callback mechanism, and also
because DEP and ASLR are not enabled. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
is sufficient for exploitation.
After the increment, NT!KiDispatchException calls
NT!KeContextFromKframes and then NT!KiPreprocessFault, neither of
which makes notable use of GS. The next "CALL" instruction, "CALL
QWORD PTR [NT!KiDebugRoutine]", reads a function pointer global
variable that points to NT!KdpStub if the kernel is not being
debugged, or NT!KdpTrap if a kernel debugger is attached to the
system. (This exploitation technique has only been made successful
for cases where the kernel is not being debugged, which is basically
assumed to be the only real-world attack scenario.)
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX ESX400-201105201-UG
ESX 3.5 ESX ESX350-201205401-SG
b. VMware host memory overwrite vulnerability (function pointers)
Due to a flaw in the handler function for RPC commands, it is
possible to manipulate function pointers within the VMX process.
This vulnerability may allow a guest user to crash the VMX
process or potentially execute code on the host.
vulnerable installations of Sybase Adaptive Server Enterprise.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the way Sybase Backup and Monitor
servers handle certain data in the login packets. Malformed packets can
cause the service in question to lookup a function pointer outside a
predefined function pointer array. It is possible to set this function
pointer to an address where user controlled data exists and this will
result in code execution under the rights of the user running the
Monitor Server.
with the privileges of the current user.
The vulnerability occurs when parsing an Excel file with a maliciously
constructed Excel record. Specific values within this record can
trigger a memory corruption vulnerability, and result in values from
the file being used as function pointers. This allows an attacker to
execute arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
2.6 kernel:
The chip_command function in drivers/media/video/tvaudio.c in the
Linux kernel 2.6.25.x before 2.6.25.19, 2.6.26.x before 2.6.26.7,
and 2.6.27.x before 2.6.27.3 allows attackers to cause a denial of
service (NULL function pointer dereference and OOPS) via unknown
vectors. (CVE-2008-5033)
Stack-based buffer overflow in the hfs_cat_find_brec function
in fs/hfs/catalog.c in the Linux kernel before 2.6.28-rc1 allows
attackers to cause a denial of service (memory corruption or system
https://issues.rpath.com/browse/RPL-1590
Description:
Previous versions of the libvorbis package contain multiple
vulnerabilities, including a heap overwrite, read violations,
and a function pointer overwrite. An attacker may exploit
these vulnerabilities to cause a denial of service and,
possibly, to execute arbitrary code.
- ---
should be no other side effects. That would also mean that the
mechanism of the vulnerability is entirely reliable.)
I've confirmed that every Internet Explorer 7 x86 MSHTML.DLL is
potentially exploitable -- none of them contain a vtable slot with bit
15 set. (The virtual function pointers in question all match either
xxxx0xxx, xxxx4xxx, xxxx5xxx, xxxx6xxx, or xxxx7xxx.)
If you'd like to research this vulnerability more for yourself, you
can breakpoint CStyleSheetArray::ReleaseStyleSheet (called during
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag.
In practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).
must open up a malicious file.
The vulnerability exists within the parsing of certain structures inside
a Notes container. During population of a C++ object when reading the
Notes container, Powerpoint incorrectly reads more data than was
allocated for overwriting a function pointer for the object which is
later used in a call from mso.dll. Successful exploitation can lead to
remote code execution under the credentials of the currently logged in
user.
tries to call a function (at +2Ch on IE 6, +30h on IE 7) from the
vtable. This makes exploitability completely dependent on the
system's version of MSHTML.DLL, and all but rules out successful
exploitation in 64-bit Internet Explorer.
The mitigation works by replacing one function pointer in the vtable
with a pointer for which the low 2 bytes are 0xCCCC, but at which the
code is functionally equivalent. Legitimate virtual function calls
work will as usual, while exploitation attempts will arrive at EIP =
0xCCCCxxxx (not exploitable) rather than 0xyyyyxxxx (exploitable for
some yyyy).
> An ioctl vulnerability in the vmx86 kernel extension allows for
> executing arbitrary code in the kernel context by an unprivileged
> user.
The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.
http://www.digit-labs.org/files/exploits/vmware-fission.c
Problem Description:
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4,
does not initialize all function pointers for socket operations
in proto_ops structures, which allows local users to trigger a NULL
pointer dereference and gain privileges by using mmap to map page zero,
placing arbitrary code on this page, and then invoking an unavailable
operation, as demonstrated by the sendpage operation on a PF_PPPOX
socket. (CVE-2009-2692)
o A flurry of cool example scripts such as:
- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP
o Writing your own scripts for your specific tasks is easy :)
Interested? Give Immunity Debugger a spin and download it from:
regenrecht reported multiple vulnerabilities in various X server
extension via iDefense:
* The XFree86-Misc extension does not properly sanitize a parameter
within a PassMessage request, allowing the modification of a function
pointer (CVE-2007-5760).
* Multiple functions in the XInput extension do not properly sanitize
client requests for swapping bytes, leading to corruption of heap
memory (CVE-2007-6427).
with the privileges of the current user.
The vulnerability occurs when parsing a Word file with a maliciously
constructed record. Specific values within this record can trigger a
memory corruption vulnerability and result in values from the file being
used as function pointers. This allows an attacker to execute arbitrary
code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
pasting a publication into the Publisher program is one of the
recommended ways to troubleshoot a damaged publication in Publisher [1].
By modifying the .pub file it is possible to make the 'pubconv.dll'
library copy enough content from the file to the stack so as to
overwrite a function pointer that is later executed by the library.
As shown in the following extract from PubConv.dll, the call to
function 'sub_344EEB00' (1.1) returns a pointer to a WORD with the
size of the data to be copied from an intermediate buffer to the
stack. Instruction (1.2) shows that ECX is loaded with that 16-bit
o A flurry of cool example scripts such as:
- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP
o Writing your own scripts for your specific tasks is easy :)
Interested? Give Immunity Debugger a spin and download it from:
vulnerable installations of Hewlett-Packard HP-UX operating system.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the function sw_rpc_agent_init (opcode
0x04) defined in swagentd. Specific malformed arguments can cause
function pointers to be overwritten and thereby result in arbitrary
code execution.
-- Vendor Response:
Hewlett-Packard has issued an update to correct this vulnerability. More
details can be found in HP document ID #SB2294r1.
First of all: As Sophos has now acknowledged, this bug in discussion
does constitute an exploitable condition. Of course a single byte
overwrite in an arbitrary memory location isn't your classical
drive-by-shooting stack overflow, but there are plenty of methods to
achieve code execution (function pointers and exception handlers being
the most obvious choice). Sergio just sent Sophos a crash-PoC, so their
initial reaction was to consider it just a crash bug.
When I asked Sergio about the details of the bug I already knew it'd be
exploitable - when he dubs a bug exploitable, it typically is (unless
there's an error in the topic, hah hah :P ).
decremented in [6].
In my exploit, I use si_threadcount incrementation to modify kernel code in
devfs_fp_check(). Opcode at 0xc076c64b is "je" (0x74). After incrementation it
changes to 0x75, which is "jne". Such modification results in not calling
dev_relthread() at [6] and eventually leads to function pointer call in
devfs_kqfilter_f().
The following exploit code works only on default 7.2 kernel, due to hardcoded
addresses:
Problem Description:
A vulnerability was discovered and corrected in the Linux 2.6 kernel:
The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4,
does not initialize all function pointers for socket operations
in proto_ops structures, which allows local users to trigger a NULL
pointer dereference and gain privileges by using mmap to map page zero,
placing arbitrary code on this page, and then invoking an unavailable
operation, as demonstrated by the sendpage operation on a PF_PPPOX
socket. (CVE-2009-2692)
Explorer version is not affected.
The vulnerability occurs when Firefox attempts to navigate away from a
page and unload the PDF viewing plugin. When Firefox calls the plugin's
destroy method, the plugin does not properly free its resources.
Specifically, a function pointer for the window update routine is not
properly freed. This results in uninitialized memory being used when
the window is redrawn, which leads to attacker supplied data being
executed when the function pointer is dereferenced.
III. ANALYSIS
application.
This vulnerability specifically exists in PowerPoint Viewer 2003 when
handling certain records in a PowerPoint presentation file. In some
circumstances, an array index can be directly controlled by data from
within the PowerPoint presentation file. Thus, a function pointer can
be directly controlled by the attacker and leveraged for arbitrary code
execution.
III. ANALYSIS
exploit these vulnerabilities, an attacker needs to convince a user to
open a malicious file. After opening the file, no further interaction
is needed to trigger the vulnerability.
Since the vulnerabilities are stack based buffer overflows, and it is
possible to overwrite SEH handlers and function pointers stored on the
stack, exploitation is relatively simple.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in the
===========
Kees Cook from the Ubuntu Security Team reported that the
CairoFont::create() function in the file CairoFontEngine.cc does not
verify the type of an embedded font object inside a PDF file before
dereferencing a function pointer from it.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
A] code execution in SVUIGrd.ocx Save/LoadObject
------------------------------------------------
The aStream number of SaveObject and LoadObject methods available in
SVUIGrd.ocx (2BBD45A5-28AE-11D1-ACAC-0800170967D9) is used directly as
function pointer:
02695b9d 8b00 mov eax,dword ptr [eax] ; controlled
02695b9f ff5004 call dword ptr [eax+4] ; execution
Next Page>>
|
