Zlib security heads up
Luciano Notarfrancesco
lnotarfrancesco at yahoo.com
Mon Mar 18 20:57:30 UTC 2002
Duane Maxwell wrote:
>The "potential root exploit" for this "glitch" (to use the official happy
>friendly Microsoft term for "gaping security hole") is hard to imagine if
>the program being attacked does not run as root. Even then it is more
>likely that one can cause a program to crash with a carefully formed
>compressed packet - so it's more of a "denial of service" type of exploit
>through damage to the heap. Most root exploits are of the "buffer overflow"
>type, which allow you to place code on the stack by exceeding the size of a
>local array.
>
I'm on vacation, so I haven't looked at this bug yet, but free() bugs
can certainly be used to execute arbitrary code. Basicly, if you can
make a program call free() with a pointer to data controlled by you,
you'll be able to write 4 bytes whereever you want, and that's usually
more than enough for executing arbitrary code. For a detailed
description of the problem take a look at
http://phrack.org/phrack/57/p57-0x09 and
http://phrack.org/phrack/57/p57-0x08.
Cheers,
Luciano.-
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the Squeak-dev
mailing list
|