| A writeup is on my round tuit list; some day soon. PL/I does bounds checking on arrays, but not on pointers. The Kermit server allocated an insufficiently large buffer to decompress packets into, and used ptrs to write to the buffer. (Errors 1 and 2: allocation and ptrs) Later in the code, there is a 'goto state(idx)' construct, with a declaration like 'dcl state (0:6) label init (state0, state1, ....);'. Which label is jumped to depends on the value of idx. The 'state' variable was not declared to be state (error 3), so the table is in writable memory, and due to whatever circumstances, is above the decompress buffer. A correctly crafted packet, when decompressed, will write over the end of the buffer and onto the state array. Later, when the goto is executed, the address transferred has been changed. It is not the case that a transfer can be made into the decompress buffer, as it is not in an executable segment, there are lots of places that could be transferred to, leaving open the possibility of an exploit. The error was discovered when a particular file transfer would reliably crash the kermit server, and analysis of the crash uncovered the coding errors. |
I always find such stories interesting.