Must coredump? No. (Was: Local root through vuln...)

["Bluefish (P.Magnusson)" <11a () GMX NET>]

> Any reason why it *has to* core dump before being exploitable? Maybe
> something's getting overwritten and it's still following a valid (although
> undesired) execution path?

No, it is of course not an axiom when you speak of softwares in general.
The fact that softwares don't coredump on shellcode is enough to prove it
wrong, and if it is overwriting data it could overwrite something like
"DoSUID=False" to "DoSUID=True". Therefor, a security researcher should
assume all vulnerabilities as exploitable until the subject is fully
researched.

My qoute:
> > Doesn't seem exploitable, but a bit funny :)

is very relaxed and unspecific. Anyone saying "Doesn't seem exploitable"
should certainly not be considered to have real research behind his words.
"Seem" is a very weak word.

What I ment was that all testings I've done so far with traceroute has
never once resulted in a coredump. Therefor I think, without strong
research behind my words, that this specific bug does never cause a
buffert overflow. I also assumed traceroute to be written of such
simplicity and logical behaivor that there exists no condition where
overwritten data can cause a problem.

Thinking of it, the last assumption is a bit dangerous. I still think it
to be true, but theoreticly a data overflow could do something really
funny - like overwriting a formation string. Exploiting one vulnerability
to exploit yet another :)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

ps.
my mail about traceroute what based upon a few minutes of testing. The
mail expressed opinions and conclusions based upon only this and some
assumption drawn from the debate on ping. It did not contain one cent of
real research :)