subject:"\[SC\-L\] Off\-by\-one errors\: a brief explanation"

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-07 Thread Pascal Meunier

An interesting example is where an off-by-one error (CAN 2001-0609, Cfingerd 1.4.3) allowed the joining two buffers together because the NUL byte was never written, and that made a format string vulnerability easier to exploit. http://www.securityfocus.com/archive/1/176087/2004-04-15/2004-04-

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-07 Thread Mads Rasmussen

Yves Younan wrote: More details in "Once upon a free()" by 'anonymous' in Phrack 57 article 9 http://www.phrack.org/show.php?p=57&a=9 and in my master thesis, page 48, http://fort-knox.org/thesis.php. I liked your theses very much, actually I was more interested in how to detect the vulnerabilitie

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-07 Thread jnf

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok yea, after I asked I was thinking about it, and I was thinking that say if it were an array of int's, then an off by four (assuming 32b int), or otherwise would make sense, and I figured off by five would be something like that, was just wonderi

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-06 Thread Steven M. Christey

[EMAIL PROTECTED] said: > that wasnt the question- well 'not how can overwritting 5 bytes help > you', but what error do you code thats a miscount by 5 bytes? The off-by-one errors I am familiar with have manipulated character arrays, so each element is one byte long. When the index is off by o

RE: [SC-L] Off-by-one errors: a brief explanation

2004-05-06 Thread Dave Paris

6:27 PM > To: Steven M. Christey > Cc: [EMAIL PROTECTED] > Subject: Re: [SC-L] Off-by-one errors: a brief explanation > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I will add that a phrack paper, which im pretty sure introduced the > concept to the public

RE: [SC-L] Off-by-one errors: a brief explanation

2004-05-06 Thread Gary McGraw

In the chapter on buffer overflow in Exploiting Software we have a brief explanation of off-by-one NULL termination errors and show how they can be exploited. This is on pages 304-308. We provide an example with strncat(), and show how the stack looks before and after. gem See http://www.exploi

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-06 Thread jnf

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I will add that a phrack paper, which im pretty sure introduced the concept to the public called 'overwriting the frame pointer', or something similar to that effect explains in all its gruesome detail. Basically if my memory serves me correctly, wh

[SC-L] Off-by-one errors: a brief explanation

2004-05-05 Thread Steven M. Christey

Mads Rasmussen <[EMAIL PROTECTED]> said: >I for one have difficulties understanding the "off-by-one" >vulnerability. Maybe a kind soul would step in? I'll try to tackle this. Corrections or additions are most welcome :) In general, off-by-one bugs involve small errors in which an array of siz

Re: [SC-L] Off-by-one errors: a brief explanation

Re: [SC-L] Off-by-one errors: a brief explanation

Re: [SC-L] Off-by-one errors: a brief explanation

Re: [SC-L] Off-by-one errors: a brief explanation

RE: [SC-L] Off-by-one errors: a brief explanation

RE: [SC-L] Off-by-one errors: a brief explanation

Re: [SC-L] Off-by-one errors: a brief explanation

[SC-L] Off-by-one errors: a brief explanation

8 matches

Site Navigation

Mail list logo

Footer information