From: "Rich C" <[EMAIL PROTECTED]>
Subject: Re: Open Formats (was ZD on Linux)
> Following that logic, such an exploit could be accomplished with a JPG
> viewer or, for that matter, Paint.
Yep. And there probrably are. The thing with an image viewer or the
such is the formats are fairly locked down, and hence, buffer overflows
harder to come by. But there are more then likely some there..
> The PDF document is simply text,
> graphics, and formatting information, similar to a postscript file.
Yeppers. But the thing with buffer overflows is, what if a file
contained something ELSE. Thats why they call it a bug.. :-P
> To my
> knowledge, it doesn't contain any script or code; nor can the PDF viewer
> execute any code based on the data in the file.
Yep, and FTP servers don't execute arbitrary commands on the server,
either. Thats why it's a bug.. 8-P Heres a quick example:
Lets assume we have a function such as this:
void myfunc(char *somedata)
{
char copyofsomedata[100];
memcpy(copyofsomedata, somedata, strlen(somedata));
printf("somedata was %s\n", copyofsomedata);
}
This function takes a string, and copies it into a local variable, and
prints it. A buffer overflow bug would occur in this case if something was
bigger then 100 characters, as copyofsomedata is only 100. If somedata is,
lets say 200 characters, the memcopy is going to overflow the buffer. The
memcpy will *gladly* let you do this. Heres how it COULD look in memory:
/ copyofsomedata \ / Executable Code \
**********************|**********************
Basically, to make it really basic, the system will allow you to
overwrite the 'executable' code. The way many compilers generate the code,
variables can and are often resting write before executable code.
So it doesn't MATTER if the application doesn't execute something. In
the case of a buffer overflow, the applications code is actually being
dynamically 'replaced' by the attacker with something else.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
