Escaping the sandbox: A bug that speaks for itself
The bug here is pretty simple, the XML parser reads tags into a struct XMLTAG
in that struct there is an array for storing attributes, which allocates space for at-most 10 attributes. The parser itself doesn’t check these bounds, allowing for a tag with more than 10 attribute to overflow on the stack. As the first piece of data after the array is the NumAttrs
value which is used to index into the array as it writes. This gives a neat little ability to take this apparent linear overflow, and make it non-linear, being able to give over values by corrupting NumAttrs
. The authors initially took advantage of this unknowingly to jump over the stack canary and corrupt the saved return address but did not take it to full exploitation.
The more interesting aspect of this is on the vulnerability research side as this bug existed 20+ years. Its fairly simple to understand, and even easy to fuzz, but the vulnerability functionality isn’t clear.