[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Very interesting traceroute flaw
From: Pavel Kankovsky <peak () ARGO ! TROJA ! MFF ! CUNI ! CZ>
Date: 2000-09-30 22:11:49
[Download RAW message or body]
On Fri, 29 Sep 2000 pedward@WEBCOM.COM wrote:
> What is causing the segmentation fault is freeing of unallocated memory, not
> the fact that you are calling free in the middle of a chunk of malloced
> memory.
1. p = savestr(S)
savestr() allocates 1024-bytes long buffer and stores S there:
+----------------------------+----------------------------+
| S[0] S[1] ... S[l-1] \0 | junk |
+----------------------------+----------------------------+
2. free(p)
free() frees the buffer, it may scrub some bytes at the beggining,
as well at the end but it will probably leave most of the buffer intact
+-------+--------------------+----------------------------+
| junk | S[k] ... S[l-1] \0 | junk |
+-------+--------------------+----------------------------+
3. p = savestr(T)
stores T into the unallocated memory that used to be the buffer
+-------+--------------------+--------------------+-------+
| junk | S[k] ... S[l-1] \0 | T[0] ... T[n-1] \0 | junk |
+-------+--------------------+--------------------+-------+
4. free(p)
calls free() with a pointer pointing at the byte where T[0] was
stored; if the implementation of malloc/free does a usual thing and
puts its own data before allocated blocks, free() will treat
the end of S (plus the trailing zero) as those private data
Nevertheless, to make this exploitable, one would have to make S,
including the fake malloc/free private data, acceptable to either
inet_addr() or gethostbyname(). inet_addr() limits the set of characters
to digits and dots unless it is seriously broken. This means one would
have to "convince" gethostbyname() return successfully on a string of
binary garbage, and this would not be easy, esp. if the local resolver is
a fussy one and refuses to accept responses containing illegal hostnames
(AFAIK, resolvers glibc2.x are fussy).
> This code will produce SIGBUS on solaris and other hardware that
> supports a misaligned access exceptions.
It depends on the length of S.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic