Re: ZLib double free bug: Windows NT potentially unaffected

[Dragos Ruiu <dr () kyx net>]

On Thu, 14 Mar 2002 18:52:13 +0100
"KJK::Hyperion" <noog () libero it> wrote:

> ZLib implementations on Windows NT should be unaffected by the "double 
> free" bug, as long as they use the heap management functions of the Runtime 
> Library (RTL), or any front-end to them, since these functions do a pretty 
> good job at preventing heap corruption and access violations

I've been researching this bug since I heard that ssh passes packets to zlib
unauthenticated this weekend, and to the best of my knowledge here is what I've 
been able to ascertain:

Double free vulnerabilities are primarily an issue for malloc implementations
based on Doug Lea's malloc. This primarily means linux systems currently.

The vulnerability arises from the ability to use a technique first credited to
Solar Designer, to exploit the unlink() routine into thinking the re-freed segment
presents a valid block descriptor and to trick it into overwriting arbitrary 
locations with the data in that spoofed block descriptor. This comes about due to 
the <descriptor><mem><descriptor><mem> structure and algorithms this allocator 
uses.  Other mallocs, such as the openbsd ones are not vulnerable to this kind 
of exploitation because they store the descriptors elsewhere. (Awww sorry kids,
no obsd sploits this week just linux, shucks :-( ) [besides, Theo can still brag 
that they fixed their zlib implementation in obsd-current in January :-)]

There is a very very very detailed and lengthy (skip to end for punchline :-)
article in Phrack [0x0b 0x39 #0x09] (yay, phrack!) outlining the algorithms and 
how exploitation of this error works entitled: Once Upon a Free

This is not to say other methods of exploting double-free errors do not exist,
but exploiting non-dlmalloc implementations will be uh... more difficult.
So before going off to do a lot of work researching what compression libs are 
used in the various programs on Windows, qnx and whatever platforms... first
have a look at the maloc library and see if it's branched off a tree coming
from the Doug Lea design, because if it's not you may not have an issue.
Also as noted above some malloc libraries have explicit protection mechanisms 
for this class of error.

If anyone knows of any other double free exploitation techniques for other
platforms and malloc implementations, that I've missed in my survey, 
I would of course be interested in hearing about it. :-)

So to confirm, yeah it looks like windows gets free pass in this round.

cheers,
--dr

P.s. is there any more data on the specific kinds/algorithms of sequences that 
cause the doublefree to be invoked? wading through it with ddd is a pita ;)
The original bug discussion board posting and code comments are not exactly 
lucid.

P.P.s. in other gossip, discussion of this vulnerability in such rapid succession 
with the recent off by one has led Niels Provos to have some wonderful ideas, 
and he's coming up with a priviledge separated version of sshd that does not 
need to be root when handling network input. Details on his homepage. His patch 
is not quite working yet, but he says it will migrate into the portable version 
of openssh when tested and debugged. Wheee. Provos++

(Plug: come talk to him about it in Vancouver in May at cansecwest. :-)
-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com