Hosting Provided By

Re: netstrings example vulnerable

From: Joel Eriksson <je-vulndev(at)bitnux.com>
Date: Sat May 31 2003 - 09:45:59 EDT

On Wed, May 28, 2003 at 04:03:58AM +0300, Timo Sirainen wrote:
> http://cr.yp.to/proto/netstrings.txt

What a surprise.

Well, scanf("%9lu") will not accept more than 9 digits, so we can't enter 4294967295 = 0xffffffff to get malloc(len + 1) to become malloc(0), which in glibc's malloc-implementation is equivalent to malloc(8).

But we don't have to, even though lu = unsigned long, nothing stops us from feeding a signed integer to scanf(). So, entering "-1:lots-of-bytes" will set len to 4294967295, allocate 8 bytes, and read lots of data from stdin until EOF (or until it tries to write to an unmapped page).

As far as I can tell, the exploitability of the code above depends on context, unless fread() allocates something on the heap but I don't see why it would, and depending on what barf() does.

> Oh, and djb knows about this now, didn't say if he's going to bother

Do you need help?

Seems like he didn't bother.

-- 
Joel Eriksson
-------------------------------------------------
Cellphone: +46-70-288 64 16 Home: +46-26-10 23 37
Security Research & Systems Development at Bitnux
PGP Key Server pgp.mit.edu, PGP Key ID 0x529FDBD1
A615 A1E1 3CA2 D7C2 CFEA 47B4 7EF7 E6B2 529F DBD1
-------------------------------------------------

application/pgp-signature attachment: stored

Received on Sun Jun 1 15:35:39 2003

This message: [ Message body ]
Next message: Dave McKinney: "Announcement: SecurityFocus Pen-Test and Firewalls Focus Areas"
Previous message: xenophi1e: "strcpy bug"
In reply to Timo Sirainen: "netstrings example vulnerable"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:39 EDT