'Re: Very interesting traceroute flaw'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Very interesting traceroute flaw
From:       Pavel Kankovsky <peak () ARGO ! TROJA ! MFF ! CUNI ! CZ>
Date:       2000-09-30 22:11:49
[Download RAW message or body]

On Fri, 29 Sep 2000 pedward@WEBCOM.COM wrote:

> What is causing the segmentation fault is freeing of unallocated memory, not
> the fact that you are calling free in the middle of a chunk of malloced
> memory.

1. p = savestr(S)
   savestr() allocates 1024-bytes long buffer and stores S there:
     +----------------------------+----------------------------+
     | S[0] S[1]  ...   S[l-1] \0 |          junk              |
     +----------------------------+----------------------------+
2. free(p)
   free() frees the buffer, it may scrub some bytes at the beggining,
   as well at the end but it will probably leave most of the buffer intact
     +-------+--------------------+----------------------------+
     | junk  | S[k] ... S[l-1] \0 |          junk              |
     +-------+--------------------+----------------------------+
3. p = savestr(T)
   stores T into the unallocated memory that used to be the buffer
     +-------+--------------------+--------------------+-------+
     | junk  | S[k] ... S[l-1] \0 | T[0] ... T[n-1] \0 |  junk |
     +-------+--------------------+--------------------+-------+
4. free(p)
   calls free() with a pointer pointing at the byte where T[0] was
   stored; if the implementation of malloc/free does a usual thing and
   puts its own data before allocated blocks, free() will treat
   the end of S (plus the trailing zero) as those private data

Nevertheless, to make this exploitable, one would have to make S,
including the fake malloc/free private data, acceptable to either
inet_addr() or gethostbyname(). inet_addr() limits the set of characters
to digits and dots unless it is seriously broken. This means one would
have to "convince" gethostbyname() return successfully on a string of
binary garbage, and this would not be easy, esp. if the local resolver is
a fussy one and refuses to accept responses containing illegal hostnames
(AFAIK, resolvers glibc2.x are fussy).

> This code will produce SIGBUS on solaris and other hardware that
> supports a misaligned access exceptions.

It depends on the length of S.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic