Duane Maxwell wrote:

>The "potential root exploit" for this "glitch" (to use the official happy
>friendly Microsoft term for "gaping security hole") is hard to imagine if
>the program being attacked does not run as root.  Even then it is more
>likely that one can cause a program to crash with a carefully formed
>compressed packet - so it's more of a "denial of service" type of exploit
>through damage to the heap.  Most root exploits are of the "buffer overflow"
>type, which allow you to place code on the stack by exceeding the size of a
>local array.
>
I'm on vacation, so I haven't looked at this bug yet, but free() bugs 
can certainly be used to execute arbitrary code. Basicly, if you can 
make a program call free() with a pointer to data controlled by you, 
you'll be able to write 4 bytes whereever you want, and that's usually 
more than enough for executing arbitrary code. For a detailed 
description of the problem take a look at 
http://phrack.org/phrack/57/p57-0x09 and 
http://phrack.org/phrack/57/p57-0x08.

Cheers,
Luciano.-


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com