Vulnerability Development mailing list archives
traceroute-4.4BSD (slack) heap overflow
From: Cristi Dumitrescu <cristid () CHIP RO>
Date: Thu, 4 Jan 2001 18:08:03 -0800
Hi,
A while ago I was studying the source code for this traceroute... I found
this in the inetname function:
...
static char line[50];
...
if (cp)
(void) strcpy(line, cp);
else {
...
The cp variable holds at that point the hostname for the current host it's
tracing. If the hostname is something like a little bit bigger than 4096+50
chars it will overflow some other variables from the heap. You can easily
check this out by modifying your /etc/hosts, I remember I made it segfault,
tho I don't remember exactly how. Anyway, I debugged it and ltraced for a
couple of hours and I doubt an exploit could be done, especially given the
fact that it's a hostname we're overflowing. So, I thought I'd post it here,
maybe someone thinks of a way to actually do something with this.
Current thread:
- traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Jose Nazario (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow El Nahual (Jan 06)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Gordon Messmer (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
(Thread continues...)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)