Switch System Flaws: Difference between revisions
| Line 554: | Line 554: | ||
The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed. | The crash occurs in VFY_Begin when using the previously overwritten data. A bitsize of <code>$((16384 + 32 + 64 + 64 + 64))</code> is only enough to overwrite cx->hashcx, to fully overwrite cx->hashobj an additional 0xC-bytes (additional 96 bits) is needed. | ||
Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow). | Note that partial overwrite isn't an option: this is the func that initializes those fields to begin with, it just does deinit first before initializing hashcx/hashobj (prior to that these fields would be all-zero when not overwritten by the buf-overflow). | ||
| Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a funcptr. | | Heap buffer overflow in [[SSL_services|ssl]], overwriting data including a ptr to an object which is later used to load a funcptr. | ||
| 13.2.1 | | 13.2.1 | ||
| 13.2.1 | | 13.2.1 | ||