RISE Security

Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

July 19, 2007. By Ramon de Carvalho Valle. Comments Off
Tags: ,

After some tests, we discovered that when the smbd process is started by the lauchd daemon, exploiting this vulnerability using the size() pointer in initial_malloc_zones may cause a unexpected behavior. The lauchd daemon starts a smbd process only at the first brute force interaction, and does not start any new smbd processes at subsequent iterations, causing exploitation to fail.

However, we found a reliable way to exploit this vulnerability even if the smbd process is started by the launchd daemon.

Continue reading “Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”

Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

July 5, 2007. By Ramon de Carvalho Valle. Comments Off
Tags: ,

While developing an exploit for the Samba lsa_io_trans_names() Heap Overflow for the Mac OS X operating system, we discovered that the szone_free() function has some interesting behavior.

The szone_free() function can be abused to overwrite one of the function pointers in the initial_malloc_zones structure and achieve arbitrary code execution. Exploitation is not straightforward, however, due to how the szone_free() function operates.

Continue reading “Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”


Next posts

Search

Pages

Archives

Categories

Blogroll

Meta

Posts RSS. Comments RSS
© 2010 RISE Security. All rights reserved.