IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New I'm confused about the entire thing
In my experience, a program that tries to free() an already free()'d area and thus leading to a corrupted memory arena just dies and dumps core. I can see how causing memory dumps might lead to a denial of service attack, but I am failing to see how this could lead to an actual attack on anything.

Enlighten me, Oh Fellow Unix'ers. And, please, stop pissing your pants, you alarmists.

One, give me one, actual exploit. Just one. Then I'll be dribbling along my legs.

With experience with free'ing corrupted memory spaces, this alert is just so much bullshit until something, somewhere, anywhere demonstrates an exploit. Programs will dump core. Maybe possibly there is an exploit. Yah right.
Where each demon is slain, more hate is raised, yet hate unchecked also multiplies. - L. E. Modesitt
New DoS is an attack
And that is the main risk here, as was clearly laid out in the advisory. The main reason why this is big is not that you can do that much to the system, it is the sheer amount of stuff that is affected.

As for a more useful exploit, well a double free causes corruption of memory somewhere. With more traditional means of doing so (eg buffer overflows) you get some control over what is corrupted, where. With a double free you don't. It is theoretically possible that the corruption could be such that you won't core dump, but instead will do something random. For instance a double-free at point A will lead to point B starting to execute code from point C, where C holds a user-defined text string. In that event then, given the fact that memory allocation issues are often deterministic, you might get the ability to exploit an application.

The possibility is admittedly remote, and would take both luck and careful analysis to find. But full exploits have been demonstrated in the past of this type of bug, and it is likely that between all of the architectures and applications that there are a few exploitable instances out there.

As is normal when talking about security and bugs, identifying which ones are exploitable is not really worth it (unless you are a black hat). The bug exists, is fixable, and fixing it is easier than detailed analysis.

Cheers,
Ben
"... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything."
--Richard Feynman
New Re: DoS is an attack
For instance a double-free at point A will lead to point B starting to execute code from point C, where C holds a user-defined text string.

Right. When these alarmists can give an example of an actual exploitation, I'll believe it. This alarm involves a known problem that could involve a hypothetical problem that might somehow let another hypothetical exploit theoretically invoke a buffer overflow that might possibly have a problem.

It may be a security problem, but I see it as a FAR less problem than most of the hundred other Microsoft problems. It's not a maximum "red alert" piss-your-pants problem that it's been portrayed as.
Where each demon is slain, more hate is raised, yet hate unchecked also multiplies. - L. E. Modesitt
New Then I suggest...
...that you simply not upgrade any of your systems that might be affected. Wait until someone can figure out how to exploit it. And then you can attempt to maybe possibly use your machine as an after-the-fact honeypot.

Meanwhile, I'll just go run red-carpet, update my system, and not worry about it.
-YendorMike

Real programmers use "vi a.out".
New I've run into double-free problems before
The memory arena is corrupted, and eventually the program core dumps. I can't get my mind around a way to reliably exploit it. Getting the condition to happen and somehow using it for a denial of service attack, I can see how that might be possible, but it's not worth worrying about for a home system.
Where each demon is slain, more hate is raised, yet hate unchecked also multiplies. - L. E. Modesitt
New It's a known class of exploit...
...touching a large number of programs and systems. Buffer overflows are a very common class of root causes for security exploits. Testing for, and avoiding, overflows is a (relatively) simple, prophilactic measure that can avoid many, many possible exploits.

[link|http://www.openbsd.org/|OpenBSD] uses modified C libraries to do just this. Proprietary products (IIRC, StackGuard is one) work similarly. I also believe that one of the ideas behind Java is to protect writeabe (and readable) memory. One of the classic explorations of comparative robustness of free software vs. proprietary software is [link|http://online.securityfocus.com/library/2087|Fuzz Revisited], uses the relatively simple test of throwing arbitrary junk input to a program and watching the results.

I suggest again looking at my "Risks" comment above.
--
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
[link|http://kmself.ix.netcom.com/|[link|http://kmself.ix.netcom.com/|http://kmself.ix.netcom.com/]]
What part of "gestalt" don't you understand?
     zlib advisory - (ben_tilly) - (16)
         Re: zlib advisory - a similar link. - (a6l6e6x)
         Remedy? - (kmself) - (3)
             Erg. - (static)
             Well OpenBSD was never vulnerable. :-) - (ben_tilly) - (1)
                 OpenBSD as server - (kmself)
         Re: zlib advisory - (pwhysall) - (1)
             Re: zlib and up2date - (a6l6e6x)
         Microsoft vulnerable too - uses zlib code - (admin) - (2)
             Risk: adopting FS code without adopting FS practices - (kmself) - (1)
                 But note that MS doesn't update the build #'s - (tonytib)
         I'm confused about the entire thing - (wharris2) - (5)
             DoS is an attack - (ben_tilly) - (4)
                 Re: DoS is an attack - (wharris2) - (3)
                     Then I suggest... - (Yendor) - (1)
                         I've run into double-free problems before - (wharris2)
                     It's a known class of exploit... - (kmself)

Yeah! Coterminous!
622 ms