« Running Windows with No Services | Main | Debugging Samba »
August 02, 2005
Adapting attacks
1. Samba Buffer Overflow
Called StrnCpy uncarefully.
I'm working on samba-2.2.3a, if you check out samba-2.2.8a, you'll see StrnCpy is replaced by pstrcpy.
2. CVS Double Free Bug
http://www.kb.cert.org/vuls/id/650937
The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code.
http://www.linuxsecurity.com/content/view/104580/103/
The impact is most severe when running
the CVS server in `pserver' mode to provide read-only access to the
world (anoncvs).
http://www.xfocus.net/vuls/200301/3548.html
CVS在处理目录群情求时存在漏洞,通过发送畸形目录名可触发返回函数返回到全局变量已经释放的位置,并且没有分配新的值。这样当下一次目录请求处理的时候就可以发生典型的double-free()问题,如果提交的目录名精心覆盖内存结构,就可以导致在系统上执行任意代码。
Deeper insights:
http://overflow.nease.net/txt/double_free_heap.txt
http://cert.uni-stuttgart.de/archive/bugtraq/2003/02/msg00003.html
I'm working on cvs-1.11.1p1, it's not available from the official site though. But if you do a search, you can find an rpm package easily.
Posted by Roy at August 2, 2005 10:56 PM