[Full-Disclosure] format strings on HP-UX

[Bruce Ediger]

On Mon, 20 Jan 2003 bt at delfi.lt wrote:

> Are they exploitable?
>
> I was looking for a format strings exploit on HP-UX,but couldn't find
> any. Maybe because they are not exploitable???If they are,I would
> appreaciate very much if anyone could provide some information about
> that.

I think that's a pretty good question, and I don't have an answer.
Since HP-UX runs on HP's "PA" architecture, the answer may very well
be "no".  The PA architecture has a few oddities:

1. What unix people think of as "stack" and "heap" are reversed relative
to how they appear in SPARC, Mips, 68k and x86.  The stack is at a lower
address than the heap.

2. Stack grows up, heap grows down.  This, too, is reversed relative to
SPARC, Mips, x86, 68k.  I think this implies that "stack underflows"
are more exploitable than "stack overflows", but I don't really know
for certain.

3. The PA architecture is segmented.  HP does their best to hush this up
and obfuscate it, but there's a "SR" segment register.  I forget exactly
how this thing works, but it's *not* like x86.  You can only get to a
given memory location with 1 combination of SR and 32-bit address.
It's possible that stack and heap and ".text segment" live in different
segments.

4. The heap and the stack are typically marked "non-executable".  I realize
this doesn't protect 100% against stack overflows, but it sure makes them
harder.

All-in-all the PA architecture is a bit hard to get your head around, if you're
used to Mips/SPARC/68k big-endian memory arrangments.