IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / DoS is an attack
Post #32,278
by ben_tilly
3/14/02 11:38:03 PM
Reply
New DoS is an attack
And that is the main risk here, as was clearly laid out in the advisory. The main reason why this is big is not that you can do that much to the system, it is the sheer amount of stuff that is affected.

As for a more useful exploit, well a double free causes corruption of memory somewhere. With more traditional means of doing so (eg buffer overflows) you get some control over what is corrupted, where. With a double free you don't. It is theoretically possible that the corruption could be such that you won't core dump, but instead will do something random. For instance a double-free at point A will lead to point B starting to execute code from point C, where C holds a user-defined text string. In that event then, given the fact that memory allocation issues are often deterministic, you might get the ability to exploit an application.

The possibility is admittedly remote, and would take both luck and careful analysis to find. But full exploits have been demonstrated in the past of this type of bug, and it is likely that between all of the architectures and applications that there are a few exploitable instances out there.

As is normal when talking about security and bugs, identifying which ones are exploitable is not really worth it (unless you are a black hat). The bug exists, is fixable, and fixing it is easier than detailed analysis.

Cheers,
Ben
"... I couldn't see how anyone could be educated by this self-propagating system in which people pass exams, teach others to pass exams, but nobody knows anything."
--Richard Feynman
Post #32,282
by wharris2
3/15/02 12:08:18 AM
Reply
New Re: DoS is an attack
For instance a double-free at point A will lead to point B starting to execute code from point C, where C holds a user-defined text string.

Right. When these alarmists can give an example of an actual exploitation, I'll believe it. This alarm involves a known problem that could involve a hypothetical problem that might somehow let another hypothetical exploit theoretically invoke a buffer overflow that might possibly have a problem.

It may be a security problem, but I see it as a FAR less problem than most of the hundred other Microsoft problems. It's not a maximum "red alert" piss-your-pants problem that it's been portrayed as.
Where each demon is slain, more hate is raised, yet hate unchecked also multiplies. - L. E. Modesitt
Post #32,316
by Yendor
3/15/02 9:56:32 AM
Reply
New Then I suggest...
...that you simply not upgrade any of your systems that might be affected. Wait until someone can figure out how to exploit it. And then you can attempt to maybe possibly use your machine as an after-the-fact honeypot.

Meanwhile, I'll just go run red-carpet, update my system, and not worry about it.
-YendorMike

Real programmers use "vi a.out".
Post #32,434
by wharris2
3/16/02 10:05:44 AM
Reply
New I've run into double-free problems before
The memory arena is corrupted, and eventually the program core dumps. I can't get my mind around a way to reliably exploit it. Getting the condition to happen and somehow using it for a denial of service attack, I can see how that might be possible, but it's not worth worrying about for a home system.
Where each demon is slain, more hate is raised, yet hate unchecked also multiplies. - L. E. Modesitt
Post #32,361
by kmself
Picture of kmself
3/15/02 2:12:46 PM
Reply
New It's a known class of exploit...
...touching a large number of programs and systems. Buffer overflows are a very common class of root causes for security exploits. Testing for, and avoiding, overflows is a (relatively) simple, prophilactic measure that can avoid many, many possible exploits.

[link|http://www.openbsd.org/|OpenBSD] uses modified C libraries to do just this. Proprietary products (IIRC, StackGuard is one) work similarly. I also believe that one of the ideas behind Java is to protect writeabe (and readable) memory. One of the classic explorations of comparative robustness of free software vs. proprietary software is [link|http://online.securityfocus.com/library/2087|Fuzz Revisited], uses the relatively simple test of throwing arbitrary junk input to a program and watching the results.

I suggest again looking at my "Risks" comment above.
--
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
[link|http://kmself.ix.netcom.com/|[link|http://kmself.ix.netcom.com/|http://kmself.ix.netcom.com/]]
What part of "gestalt" don't you understand?
     zlib advisory - (ben_tilly) - (16) - March 11, 2002, 05:46:41 PM EST
         Re: zlib advisory - a similar link. - (a6l6e6x) - March 11, 2002, 11:25:28 PM EST
         Remedy? - (kmself) - (3) - March 12, 2002, 12:12:38 AM EST
             Erg. - (static) - March 12, 2002, 12:27:49 AM EST
             Well OpenBSD was never vulnerable. :-) - (ben_tilly) - (1) - March 12, 2002, 12:41:28 AM EST
                 OpenBSD as server - (kmself) - March 12, 2002, 01:51:32 PM EST
         Re: zlib advisory - (pwhysall) - (1) - March 12, 2002, 02:29:24 AM EST
             Re: zlib and up2date - (a6l6e6x) - March 12, 2002, 02:29:21 PM EST
         Microsoft vulnerable too - uses zlib code - (admin) - (2) - March 14, 2002, 10:07:28 PM EST
             Risk: adopting FS code without adopting FS practices - (kmself) - (1) - March 15, 2002, 01:45:18 AM EST
                 But note that MS doesn't update the build #'s - (tonytib) - March 15, 2002, 09:37:37 PM EST
         I'm confused about the entire thing - (wharris2) - (5) - March 14, 2002, 11:08:50 PM EST
             DoS is an attack - (ben_tilly) - (4) - March 14, 2002, 11:38:03 PM EST
                 Re: DoS is an attack - (wharris2) - (3) - March 15, 2002, 12:08:18 AM EST
                     Then I suggest... - (Yendor) - (1) - March 15, 2002, 09:56:32 AM EST
                         I've run into double-free problems before - (wharris2) - March 16, 2002, 10:05:44 AM EST
                     It's a known class of exploit... - (kmself) - March 15, 2002, 02:12:46 PM EST

Until it's frozen.
41 ms