Vulnerability Development mailing list archives
Re: traceroute-4.4BSD (slack) heap overflow
From: Techno Bob <tbob () TECHIE COM>
Date: Fri, 5 Jan 2001 16:42:53 -0500
------Original Message------ Hi, A while ago I was studying the source code for this traceroute... I found this in the inetname function: .... static char line[50]; .... if (cp) (void) strcpy(line, cp); else { .... The cp variable holds at that point the hostname for the current host it's tracing. If the hostname is something like a little bit bigger than 4096+50 chars it will overflow some other variables from the heap. You can easily check this out by modifying your /etc/hosts, I remember I made it segfault, tho I don't remember exactly how. Anyway, I debugged it and ltraced for a couple of hours and I doubt an exploit could be done, especially given the fact that it's a hostname we're overflowing. So, I thought I'd post it here, maybe someone thinks of a way to actually do something with this. ----------------------- I actually spotted somthing very much like this recently whilst writing a traceroute-like program - but I assumed I was looking at an old version and this would've been fixed by now. I'm not entirely sure _how_ you would exploit this, which is probably why they made it static rather than local. The function inetname actually returns the overflowed buffer "line" which is printed by printf as %s. Because printf() FILE structures are held in the heap you could overwrite the FILE structure to point to any file (as traceroute is root) to be overwritten with the string "line". Or I could be totally wrong. Anyway, if everyone knows whether I'm right, or just totally young, wrong and naive I'd like to know. Thanx TBob "Veni Vermini Vomui" PS Aplogigies to Cristi as I originally sent this to him personally by mistake. ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- Re: traceroute-4.4BSD (slack) heap overflow, (continued)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Gordon Messmer (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Frank de Lange (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Rodrigo Barbosa (aka morcego) (Jan 10)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Oliver Friedrichs (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Techno Bob (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Techno Bob (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 11)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)