Zlib double free "hole"

Zlib double free "hole"

Post by shado » Wed, 20 Mar 2002 04:19:17



With the recent advisorises that have been flying around thanks to
the bug in zlib I'm curious as to know if anyone has exploited the
zlib hole?

Please know I'm not looking for an actual exploit, but rather a
discussion on how a double free() could cause more than just
segmentation fault.

--
Thamer Al-Herbish             <URL http://www.whitefang.com/>

 
 
 

Zlib double free "hole"

Post by Ian Stirlin » Wed, 20 Mar 2002 05:56:16



> With the recent advisorises that have been flying around thanks to
> the bug in zlib I'm curious as to know if anyone has exploited the
> zlib hole?

> Please know I'm not looking for an actual exploit, but rather a
> discussion on how a double free() could cause more than just
> segmentation fault.

Is it a "chosen plaintext" or "chosen ciphertext" attack?
IOW, if the attacker has not got access to your ISPs ppp routers, is
there anything that can be done?

--

---------------------------+-------------------------+--------------------------
Q: What do you call a train that doesn't stop at stations?
A: Thomas the Bastard.                                                -- Ben

 
 
 

Zlib double free "hole"

Post by Martin Ouweha » Thu, 21 Mar 2002 20:05:58




] Please know I'm not looking for an actual exploit, but rather a
] discussion on how a double free() could cause more than just
] segmentation fault.

if, after the first free(), you can modify the memory around the
free()-ed chunk (e.g. because you got it again from a subsequent
malloc() or by a overflowing a variable pointing to a chunk before
the free()-ed chunk), then you can manipulate the second free() to
write to more or less arbitrary memory locations. It should work
along the same lines as the malloc() exploits described here:

        http://www.phrack.org/phrack/57/p57-0x08
        http://www.phrack.org/phrack/57/p57-0x09

--
  | ~~~~~~~~ Martin Ouwehand ~ Swiss Federal Institute of Technology ~ Lausanne
__|_____________ Email/PGP: http://slwww.epfl.ch/info/Martin.html _____________
La rigidit du cadavre vivant exprime                                 [Ch?gyam]
l'oppos du sens de l'humour                                          [Trungpa]