Vulnerability Development mailing list archives
traceroute-4.4BSD (slack) heap overflow
From: Cristi Dumitrescu <cristid () CHIP RO>
Date: Thu, 4 Jan 2001 18:08:03 -0800
Hi, A while ago I was studying the source code for this traceroute... I found this in the inetname function: ... static char line[50]; ... if (cp) (void) strcpy(line, cp); else { ... The cp variable holds at that point the hostname for the current host it's tracing. If the hostname is something like a little bit bigger than 4096+50 chars it will overflow some other variables from the heap. You can easily check this out by modifying your /etc/hosts, I remember I made it segfault, tho I don't remember exactly how. Anyway, I debugged it and ltraced for a couple of hours and I doubt an exploit could be done, especially given the fact that it's a hostname we're overflowing. So, I thought I'd post it here, maybe someone thinks of a way to actually do something with this.
Current thread:
- traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Jose Nazario (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow El Nahual (Jan 06)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Gordon Messmer (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
(Thread continues...)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)