oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

From: Marek Kroemeke <kroemeke () gmail com>
Date: Tue, 27 Jan 2015 17:02:50 +0000
Hi there,

We just noticed CVE-2015-0235 , and we thought we will drop this one in - apologies 
for low quality , we didn't really have time yet to analyse it, but it seems to be
related, so it makes sense to patch things once right ?

-- cut --
valgrind ./traceroute/traceroute $(printf "\302a")
==12559== Memcheck, a memory error detector
==12559== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12559== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==12559== Command: ./traceroute/traceroute Âa
==12559== 
==12559== Invalid free() / delete / delete[] / realloc()
==12559==    at 0x4C27D4E: free (vg_replace_malloc.c:427)
==12559==    by 0x537258A: gaih_inet (getaddrinfo.c:1328)
==12559==    by 0x53757C1: getaddrinfo (getaddrinfo.c:2433)
==12559==    by 0x40530F: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x405D1B: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x409EA1: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x405DAC: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x52D9EAC: (below main) (libc-start.c:244)
==12559==  Address 0x7ff0005f7 is on thread 1's stack
==12559== 
-- cut --


-- cut --
marek@GHOSTMYASS:~$ traceroute $(printf "\302a")
*** glibc detected *** traceroute: munmap_chunk(): invalid pointer: 0x00007fff1b43a547 ***
======= Backtrace: =========
/lib64/libc.so.6(cfree+0x166)[0x32244758c6]
/lib64/libc.so.6[0x32244bc116]
/lib64/libc.so.6(getaddrinfo+0x21a)[0x32244be94a]
traceroute[0x402926]
traceroute[0x4029f1]
traceroute[0x406281]
traceroute[0x403546]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x322441d9f4]
traceroute[0x401619]
======= Memory map: ========
00400000-00409000 r-xp 00000000 68:06 7103807                            /bin/traceroute
00608000-00609000 rw-p 00008000 68:06 7103807                            /bin/traceroute
00609000-0060a000 rw-p 00609000 00:00 0
00808000-00809000 rw-p 00008000 68:06 7103807                            /bin/traceroute
00ff7000-01018000 rw-p 00ff7000 00:00 0                                  [heap]
3224000000-322401c000 r-xp 00000000 68:06 7332914                        /lib64/ld-2.5.so
322421c000-322421d000 r--p 0001c000 68:06 7332914                        /lib64/ld-2.5.so
322421d000-322421e000 rw-p 0001d000 68:06 7332914                        /lib64/ld-2.5.so
3224400000-322454f000 r-xp 00000000 68:06 7333080                        /lib64/libc-2.5.so
322454f000-322474f000 ---p 0014f000 68:06 7333080                        /lib64/libc-2.5.so
322474f000-3224753000 r--p 0014f000 68:06 7333080                        /lib64/libc-2.5.so
3224753000-3224754000 rw-p 00153000 68:06 7333080                        /lib64/libc-2.5.so
3224754000-3224759000 rw-p 3224754000 00:00 0
3224c00000-3224c82000 r-xp 00000000 68:06 7333136                        /lib64/libm-2.5.so
3224c82000-3224e81000 ---p 00082000 68:06 7333136                        /lib64/libm-2.5.so
3224e81000-3224e82000 r--p 00081000 68:06 7333136                        /lib64/libm-2.5.so
3224e82000-3224e83000 rw-p 00082000 68:06 7333136                        /lib64/libm-2.5.so
3226800000-322680d000 r-xp 00000000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
322680d000-3226a0d000 ---p 0000d000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
3226a0d000-3226a0e000 rw-p 0000d000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
3227400000-3227411000 r-xp 00000000 68:06 7333100                        /lib64/libresolv-2.5.so
3227411000-3227611000 ---p 00011000 68:06 7333100                        /lib64/libresolv-2.5.so
3227611000-3227612000 r--p 00011000 68:06 7333100                        /lib64/libresolv-2.5.so
3227612000-3227613000 rw-p 00012000 68:06 7333100                        /lib64/libresolv-2.5.so
3227613000-3227615000 rw-p 3227613000 00:00 0
2b6dc1c15000-2b6dc1c17000 rw-p 2b6dc1c15000 00:00 0
2b6dc1c1e000-2b6dc1c20000 rw-p 2b6dc1c1e000 00:00 0
2b6dc1c20000-2b6dc51f3000 r--p 00000000 68:06 5051193                    /usr/lib/locale/locale-archive
2b6dc51fa000-2b6dc5227000 r-xp 00000000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5227000-2b6dc5427000 ---p 0002d000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5427000-2b6dc5428000 r--p 0002d000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5428000-2b6dc5429000 rw-p 0002e000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5429000-2b6dc5433000 r-xp 00000000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5433000-2b6dc5632000 ---p 0000a000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5632000-2b6dc5633000 r--p 00009000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5633000-2b6dc5634000 rw-p 0000a000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5634000-2b6dc5638000 r-xp 00000000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5638000-2b6dc5837000 ---p 00004000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5837000-2b6dc5838000 r--p 00003000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5838000-2b6dc5839000 rw-p 00004000 68:06 7332988                    /lib64/libnss_dns-2.5.so
7fff1b426000-7fff1b43b000 rw-p 7ffffffe9000 00:00 0                      [stack]
7fff1b462000-7fff1b465000 r-xp 7fff1b462000 00:00 0                      [vdso]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vsyscall]
Aborted
marek@GHOSTMYASS:~$ 

-- cut --

Cheers! 

Filip Palian,
AKAT-1,
Marek Kroemeke
Previous By Date Next
Previous By Thread Next

Current thread: