Dailydave mailing list archives
Re: OpenBSD icmp6 overflow
From: Joel Eriksson <je-dailydave () bitnux com>
Date: Thu, 15 Mar 2007 00:59:28 +0100
On Wed, Mar 14, 2007 at 03:31:16PM +0100, Sebastian Krahmer wrote:
you probably know about http://www.coresecurity.com/?action=item&id=1703 the description of how to exploit it sounds straight forward, so I wonder how this could be missed at the first look ;-)
My thoughts exactly. ;) Exploiting mbuf overflows is not exactly rocket science (and no, this is not the first of its kind), especially not for someone familiar with the code base, as I assume the OpenBSD developers to be. The possible mirrored overwrite should be obvious to anyone realizing that mbufs are stored in a double linked list and the very convenient ext_free function pointer to anyone bothering to read the source. ;) Although the use of macros makes it a bit tedious.. (m_free -> MFREE -> _MEXTREMOVE)
regards, Sebastian
-- Best Regards, Joel Eriksson CTO Bitsec _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- OpenBSD icmp6 overflow Sebastian Krahmer (Mar 14)
- Re: OpenBSD icmp6 overflow Joel Eriksson (Mar 14)