Vulnerability Development mailing list archives
Re: traceroute-4.4BSD (slack) heap overflow
From: Cristi Dumitrescu <cristid () CHIP RO>
Date: Mon, 8 Jan 2001 16:13:48 -0800
It's *not* that easy. Take my word for it :) As sgp () telsatgp com pl pointed out, there must be a certain limit in the resolver... Also, the resolver *certainly* limits the character set. As far as I know, there is no shellcode composed of this character set. It's not impossible to write one, but it would be very very hard to do so. ----- Original Message ----- From: "El Nahual" <nahual () S0D SAL ITESM MX> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Saturday, January 06, 2001 6:44 AM Subject: Re: traceroute-4.4BSD (slack) heap overflow
Well bro there is an easy way to do that ... =) ... reverse dns maybe? I remember seeing from another pen-tester (bows to him) a remote openBSD exploit with thew format one that yielded root, saw it with my own 2 little eyes. he modified the hosts file. We played a little with it and realized that in that case since the ofending code was in setproctitle() we could put the shell code in the DNS to point into our name. Maybe something like that can be done to exploit this ... I'll play with it a little bit. El Nahual On Thu, 4 Jan 2001, Cristi Dumitrescu wrote:Hi, A while ago I was studying the source code for this traceroute... I
found
this in the inetname function: ... static char line[50]; ... if (cp) (void) strcpy(line, cp); else { ... The cp variable holds at that point the hostname for the current host
it's
tracing. If the hostname is something like a little bit bigger than
4096+50
chars it will overflow some other variables from the heap. You can
easily
check this out by modifying your /etc/hosts, I remember I made it
segfault,
tho I don't remember exactly how. Anyway, I debugged it and ltraced for
a
couple of hours and I doubt an exploit could be done, especially given
the
fact that it's a hostname we're overflowing. So, I thought I'd post it
here,
maybe someone thinks of a way to actually do something with this.
Current thread:
- traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow Jose Nazario (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 07)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 05)
- Re: traceroute-4.4BSD (slack) heap overflow El Nahual (Jan 06)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Slawek (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Gordon Messmer (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Frank de Lange (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Matt Zimmerman (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Olaf Kirch (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Rodrigo Barbosa (aka morcego) (Jan 10)
- Re: traceroute-4.4BSD (slack) heap overflow Dale Thatcher (Jan 08)
- Re: traceroute-4.4BSD (slack) heap overflow Cristi Dumitrescu (Jan 09)
- Re: traceroute-4.4BSD (slack) heap overflow Heinrich Langos (Jan 05)
- <Possible follow-ups>
- Re: traceroute-4.4BSD (slack) heap overflow Oliver Friedrichs (Jan 05)