Gray Hat Hacking: The Ethical Hacker??™s Handbook
494
Figure 19-5
printf stack
layout 1
Note how the extra stack space allocated in bar??™s prologue causes the location of
local_buf to shift from the perspective of printf. Values that the attacker expects to find
in locations 1$ to 256$ are now in locations 257$ through 512$. As a result, any
assumptions the attacker makes about the location of her format string become invalid
and the attack fails.
As with the other mutation techniques, it is essential to remember that this type of
patch does not correct the underlying vulnerability. In the preceding example, function
bar continues to contain a format string vulnerability that can be exploited if the
attacker has proper knowledge of the stack layout of bar. What has been gained, however,
is some measure of resistance to any automated attacks that might be created to
exploit the unpatched version of this vulnerability. It cannot be stressed enough that it
should never be considered a long-term solution to an exploitable condition and that a
proper, vendor-supplied patch should be applied at the earliest possible opportunity.
Third-Party Patching Initiatives
Every time a vulnerability is publicly disclosed, the vendor of the affected software is
heavily scrutinized.
Pages:
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869