[16972] in bugtraq
Re: Very interesting traceroute flaw
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Sat Sep 30 16:57:13 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200009291651.JAA24056@eris>
Date: Fri, 29 Sep 2000 09:51:02 -0700
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: chris@ferret.lmh.ox.ac.uk
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0009282201460.28324-100000@ferret.lmh.ox.ac.uk>
from "Chris Evans" at Sep 28, 2000 11:33:28 PM
What is causing the segmentation fault is freeing of unallocated memory, not
the fact that you are calling free in the middle of a chunk of malloced
memory. This code will produce SIGBUS on solaris and other hardware that
supports a misaligned access exceptions.
I have downloaded the sources and done the work:
The second -g 1 causes a free() on an unallocated pointer. The problem
is that the second 'savestr' doesn't actually allocate a chunk of memory
for hi->name, so when free is called against the bogus pointer it segfaults
in chunk_free. The hi->name is actually written to an unallocated, but unused
portion of the heap.
If this is possibly exploitable (rh6.2 rev 18), then I would be REALLY
surprised. savestr is only used in gethostinfo, totally innocuous.
--Perry
> traceroute -g 1 -g 1 (I think it didn't need a hostname)
> Segmentation fault
>
> Looking at the code, there is a file "savestr.c", which contains a
> function savestr(). This savestr() function is essentially a
> strdup() function, but with the difference that an attempt is made to cut
> down on the number of malloc() calls. This is accomplished by malloc()'ing
> a large block and handing out pointers _inside_ this block as savestr() is
> repeatedly called.
>
> So where does this all go wrong? Unfortunately, the clients of the
> savestr() method seemed to treat savestr() like it was strdup() - i.e. all
> pointers returned must be free()'d or you have a leak. This is not the
> case, so we have the flaw: free() called on a pointer not allocated by
> malloc().
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
