On Thu, 14 Mar 2002 18:52:13 +0100 "KJK::Hyperion" <noogat_private> wrote: > ZLib implementations on Windows NT should be unaffected by the "double > free" bug, as long as they use the heap management functions of the Runtime > Library (RTL), or any front-end to them, since these functions do a pretty > good job at preventing heap corruption and access violations > I've been researching this bug since I heard that ssh passes packets to zlib unauthenticated this weekend, and to the best of my knowledge here is what I've been able to ascertain: Double free vulnerabilities are primarily an issue for malloc implementations based on Doug Lea's malloc. This primarily means linux systems currently. The vulnerability arises from the ability to use a technique first credited to Solar Designer, to exploit the unlink() routine into thinking the re-freed segment presents a valid block descriptor and to trick it into overwriting arbitrary locations with the data in that spoofed block descriptor. This comes about due to the <descriptor><mem><descriptor><mem> structure and algorithms this allocator uses. Other mallocs, such as the openbsd ones are not vulnerable to this kind of exploitation because they store the descriptors elsewhere. (Awww sorry kids, no obsd sploits this week just linux, shucks :-( ) [besides, Theo can still brag that they fixed their zlib implementation in obsd-current in January :-)] There is a very very very detailed and lengthy (skip to end for punchline :-) article in Phrack [0x0b 0x39 #0x09] (yay, phrack!) outlining the algorithms and how exploitation of this error works entitled: Once Upon a Free This is not to say other methods of exploting double-free errors do not exist, but exploiting non-dlmalloc implementations will be uh... more difficult. So before going off to do a lot of work researching what compression libs are used in the various programs on Windows, qnx and whatever platforms... first have a look at the maloc library and see if it's branched off a tree coming from the Doug Lea design, because if it's not you may not have an issue. Also as noted above some malloc libraries have explicit protection mechanisms for this class of error. If anyone knows of any other double free exploitation techniques for other platforms and malloc implementations, that I've missed in my survey, I would of course be interested in hearing about it. :-) So to confirm, yeah it looks like windows gets free pass in this round. cheers, --dr P.s. is there any more data on the specific kinds/algorithms of sequences that cause the doublefree to be invoked? wading through it with ddd is a pita ;) The original bug discussion board posting and code comments are not exactly lucid. P.P.s. in other gossip, discussion of this vulnerability in such rapid succession with the recent off by one has led Niels Provos to have some wonderful ideas, and he's coming up with a priviledge separated version of sshd that does not need to be root when handling network input. Details on his homepage. His patch is not quite working yet, but he says it will migrate into the portable version of openssh when tested and debugged. Wheee. Provos++ (Plug: come talk to him about it in Vancouver in May at cansecwest. :-) -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 12:36:02 PST