Dailydave mailing list archives

Re: OpenBSD icmp6 overflow

From: Joel Eriksson <je-dailydave () bitnux com>
Date: Thu, 15 Mar 2007 00:59:28 +0100

On Wed, Mar 14, 2007 at 03:31:16PM +0100, Sebastian Krahmer wrote:


you probably know about
http://www.coresecurity.com/?action=item&id=1703

the description of how to exploit it sounds
straight forward, so I wonder how this could
be missed at the first look ;-)


My thoughts exactly. ;) Exploiting mbuf overflows is not exactly rocket
science (and no, this is not the first of its kind), especially not for
someone familiar with the code base, as I assume the OpenBSD developers
to be.

The possible mirrored overwrite should be obvious to anyone realizing
that mbufs are stored in a double linked list and the very convenient
ext_free function pointer to anyone bothering to read the source. ;)
Although the use of macros makes it a bit tedious..
(m_free -> MFREE -> _MEXTREMOVE)

regards,
Sebastian


-- 
Best Regards,
Joel Eriksson
CTO Bitsec
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

OpenBSD icmp6 overflow Sebastian Krahmer (Mar 14)
- Re: OpenBSD icmp6 overflow Joel Eriksson (Mar 14)