Bugtraq mailing list archives
Re: Very interesting traceroute flaw
From: Daniel Jacobowitz <dmj+ () ANDREW CMU EDU>
Date: Sat, 30 Sep 2000 17:18:42 -0400
On Fri, Sep 29, 2000 at 09:51:02AM -0700, pedward () WEBCOM COM wrote:
What is causing the segmentation fault is freeing of unallocated memory, not the fact that you are calling free in the middle of a chunk of malloced memory. This code will produce SIGBUS on solaris and other hardware that supports a misaligned access exceptions.
No... this is not a misaligned access if the data saved is of the proper size.
I have downloaded the sources and done the work: The second -g 1 causes a free() on an unallocated pointer. The problem is that the second 'savestr' doesn't actually allocate a chunk of memory for hi->name, so when free is called against the bogus pointer it segfaults in chunk_free. The hi->name is actually written to an unallocated, but unused portion of the heap.
Not necessarily unused, depending on the sequence of options passed. You can corrupt resolver datastructures this way.
If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY surprised. savestr is only used in gethostinfo, totally innocuous.
Passing user-controlled data to free is sufficient. I'm thoroughly convinced that this would be exploitable, at least on big-endian architectures (the trailing 0 of the saved string can be problematic). For more information, see the discussion in the security-audit mail archives when the issue was first noticed (well, second - I had a private conversation with Chris Evans about it after he first mentioned it, if I recall correctly): http://www.geocrawler.com/archives/3/302/2000/8/0/ Also see the discussion of heap overflows by Solar Designer that Chris mentioned in the original post in this thread. Dan /--------------------------------\ /--------------------------------\ | Daniel Jacobowitz |__| SCS Class of 2002 | | Debian GNU/Linux Developer __ Carnegie Mellon University | | dan () debian org | | dmj+ () andrew cmu edu | \--------------------------------/ \--------------------------------/
Attachment:
_bin
Description:
Current thread:
- Very interesting traceroute flaw Chris Evans (Sep 29)
- Re: Very interesting traceroute flaw Sylvain Robitaille (Sep 29)
- Re: Very interesting traceroute flaw Martin Peikert (Sep 29)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Casper Dik (Sep 29)
- Re: Very interesting traceroute flaw pedward (Sep 30)
- Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Elias Levy (Sep 30)