[22974] in bugtraq
Re: SSH deja vu
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Wed Oct 24 01:06:12 2001
Date: Tue, 23 Oct 2001 19:11:01 -0400 (EDT)
From: Michal Zalewski <lcamtuf@coredump.cx>
To: Lucian Hudin <luci@warp.transart.ro>
Cc: Max Parke <mhp@lightlink.com>, bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.30.0110240004490.29114-100000@warp.transart.ro>
Message-ID: <Pine.LNX.4.21.0110231907160.1309-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 24 Oct 2001, Lucian Hudin wrote:
> I don't know about any teso exploit, but what I want to mention is
> that I rememeber studying this problem myself and I've found that the
> crc32 bug doesn't manifest under operating systems that return NULL on
> realloc(ptr, 0); So if the exploit is based on the fact that
> realloc(ptr, 0) will NOT return NULL, Linux & W2k (systems I have
> access on) were never actually vulnerable.
Very interesting conclusion - but certainly wrong. Actually, modern
systems usually allow you to allocate zero-sized "placeholders", and
Linux, *BSD and (IIRC) Solaris follow this rule. Two proof-of-concepts
exploits were already published on BUGTRAQ, numerous others - developed
for not so broad audience.
> The Linux realloc manual says :
> "realloc() returns a pointer to the newly allocated memory, which is
> suitably aligned for any kind of variable and may be different
> from ptr, or NULL if the request fails or if size was equal to 0.
The manual page is wrong. This is not the behavior of recent glibc
releases.
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
