Very Computer

With the recent advisorises that have been flying around thanks to
the bug in zlib I'm curious as to know if anyone has exploited the
zlib hole?

Please know I'm not looking for an actual exploit, but rather a
discussion on how a double free() could cause more than just
segmentation fault.

--
Thamer Al-Herbish             <URL http://www.whitefang.com/>

Is it a "chosen plaintext" or "chosen ciphertext" attack?
IOW, if the attacker has not got access to your ISPs ppp routers, is
there anything that can be done?

--

---------------------------+-------------------------+--------------------------
Q: What do you call a train that doesn't stop at stations?
A: Thomas the Bastard.                                                -- Ben

] Please know I'm not looking for an actual exploit, but rather a
] discussion on how a double free() could cause more than just
] segmentation fault.

if, after the first free(), you can modify the memory around the
free()-ed chunk (e.g. because you got it again from a subsequent
malloc() or by a overflowing a variable pointing to a chunk before
the free()-ed chunk), then you can manipulate the second free() to
write to more or less arbitrary memory locations. It should work
along the same lines as the malloc() exploits described here:

        http://www.phrack.org/phrack/57/p57-0x08
        http://www.phrack.org/phrack/57/p57-0x09

--
  | ~~~~~~~~ Martin Ouwehand ~ Swiss Federal Institute of Technology ~ Lausanne
__|_____________ Email/PGP: http://slwww.epfl.ch/info/Martin.html _____________
La rigidit du cadavre vivant exprime                                 [Ch?gyam]
l'oppos du sens de l'humour                                          [Trungpa]