Bugtraq mailing list archives
Re: Very interesting traceroute flaw
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Sun, 1 Oct 2000 00:11:49 +0200
On Fri, 29 Sep 2000 pedward () WEBCOM COM wrote:
What is causing the segmentation fault is freeing of unallocated memory, not the fact that you are calling free in the middle of a chunk of malloced memory.
1. p = savestr(S) savestr() allocates 1024-bytes long buffer and stores S there: +----------------------------+----------------------------+ | S[0] S[1] ... S[l-1] \0 | junk | +----------------------------+----------------------------+ 2. free(p) free() frees the buffer, it may scrub some bytes at the beggining, as well at the end but it will probably leave most of the buffer intact +-------+--------------------+----------------------------+ | junk | S[k] ... S[l-1] \0 | junk | +-------+--------------------+----------------------------+ 3. p = savestr(T) stores T into the unallocated memory that used to be the buffer +-------+--------------------+--------------------+-------+ | junk | S[k] ... S[l-1] \0 | T[0] ... T[n-1] \0 | junk | +-------+--------------------+--------------------+-------+ 4. free(p) calls free() with a pointer pointing at the byte where T[0] was stored; if the implementation of malloc/free does a usual thing and puts its own data before allocated blocks, free() will treat the end of S (plus the trailing zero) as those private data Nevertheless, to make this exploitable, one would have to make S, including the fake malloc/free private data, acceptable to either inet_addr() or gethostbyname(). inet_addr() limits the set of characters to digits and dots unless it is seriously broken. This means one would have to "convince" gethostbyname() return successfully on a string of binary garbage, and this would not be easy, esp. if the local resolver is a fussy one and refuses to accept responses containing illegal hostnames (AFAIK, resolvers glibc2.x are fussy).
This code will produce SIGBUS on solaris and other hardware that supports a misaligned access exceptions.
It depends on the length of S. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Re: Very interesting traceroute flaw Pavel Kankovsky (Oct 02)