Vulnerability Development mailing list archives
Re: traceroute-4.4BSD (slack) heap overflow
From: El Nahual <nahual () S0D SAL ITESM MX>
Date: Sat, 6 Jan 2001 05:44:10 -0900
Well bro there is an easy way to do that ... =) ... reverse dns maybe? I remember seeing from another pen-tester (bows to him) a remote openBSD exploit with thew format one that yielded root, saw it with my own 2 little eyes. he modified the hosts file. We played a little with it and realized that in that case since the ofending code was in setproctitle() we could put the shell code in the DNS to point into our name. Maybe something like that can be done to exploit this ... I'll play with it a little bit. El Nahual On Thu, 4 Jan 2001, Cristi Dumitrescu wrote:
Hi, A while ago I was studying the source code for this traceroute... I found this in the inetname function: ... static char line[50]; ... if (cp) (void) strcpy(line, cp); else { ... The cp variable holds at that point the hostname for the current host it's tracing. If the hostname is something like a little bit bigger than 4096+50 chars it will overflow some other variables from the heap. You can easily check this out by modifying your /etc/hosts, I remember I made it segfault, tho I don't remember exactly how. Anyway, I debugged it and ltraced for a couple of hours and I doubt an exploit could be done, especially given the fact that it's a hostname we're overflowing. So, I thought I'd post it here, maybe someone thinks of a way to actually do something with this.
Current thread:
- traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Jose Nazario (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow El Nahual (Jan 06)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Gordon Messmer (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Frank de Lange (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Rodrigo Barbosa (aka morcego) (Jan 10)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)