Bugtraq mailing list archives

Re: Very interesting traceroute flaw

From: Daniel Jacobowitz <dmj+ () ANDREW CMU EDU>
Date: Sat, 30 Sep 2000 17:18:42 -0400

On Fri, Sep 29, 2000 at 09:51:02AM -0700, pedward () WEBCOM COM wrote:

What is causing the segmentation fault is freeing of unallocated memory, not
the fact that you are calling free in the middle of a chunk of malloced
memory.  This code will produce SIGBUS on solaris and other hardware that
supports a misaligned access exceptions.


No... this is not a misaligned access if the data saved is of the
proper size.

I have downloaded the sources and done the work:

The second -g 1 causes a free() on an unallocated pointer.  The problem
is that the second 'savestr' doesn't actually allocate a chunk of memory
for hi->name, so when free is called against the bogus pointer it segfaults
in chunk_free.  The hi->name is actually written to an unallocated, but unused
portion of the heap.


Not necessarily unused, depending on the sequence of options passed. 
You can corrupt resolver datastructures this way.

If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY
surprised.  savestr is only used in gethostinfo, totally innocuous.


Passing user-controlled data to free is sufficient.  I'm thoroughly
convinced that this would be exploitable, at least on big-endian
architectures (the trailing 0 of the saved string can be problematic).

For more information, see the discussion in the security-audit mail
archives when the issue was first noticed (well, second - I had a private
conversation with Chris Evans about it after he first mentioned it, if
I recall correctly):
  http://www.geocrawler.com/archives/3/302/2000/8/0/

Also see the discussion of heap overflows by Solar Designer that Chris
mentioned in the original post in this thread.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/

Attachment: _bin
Description:

Current thread:

Very interesting traceroute flaw Chris Evans (Sep 29)
- Re: Very interesting traceroute flaw Sylvain Robitaille (Sep 29)
- Re: Very interesting traceroute flaw Martin Peikert (Sep 29)
  - Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Casper Dik (Sep 29)
- Re: Very interesting traceroute flaw pedward (Sep 30)
  - Re: Very interesting traceroute flaw Daniel Jacobowitz (Sep 30)
- Re: Very interesting traceroute flaw Elias Levy (Sep 30)