[Dailydave] eddy 0day

Evgeny Legerov admin at gleg.net
Mon Feb 13 18:51:37 EST 2006 

Hi,

Interesting Isode M-Vault Server 11.3 bug revealed with ProtoVer Sample LDAP (platform: FC4):

Program received signal SIGABRT, Aborted.
[Switching to Thread -1534674000 (LWP 3674)]
0xa667e7e2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
(gdb) bt
#0  0xa667e7e2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0xa5faf1f8 in raise () from /lib/libc.so.6
#2  0xa5fb0948 in abort () from /lib/libc.so.6
#3  0xa5fe452a in __libc_message () from /lib/libc.so.6
#4  0xa5fea424 in _int_free () from /lib/libc.so.6
#5  0xa5fea95f in free () from /lib/libc.so.6
#6  0x08190c38 in IC_LdapModifyOperation::operation_thread ()
#7  0x0818ec9e in IC_LdapModifyOperation::operation_thread ()
#8  0x0818ea74 in IC_LdapModifyOperation::operation_thread ()
#9  0x0818e826 in IC_LdapModifyOperation::operation_thread ()
#10 0x08187700 in IC_LdapResponder::handle_read_event_async ()
#11 0x08188369 in IC_AsyncObject<IC_LdapResponder>::_wrapper ()
#12 0x081c37d3 in Pthread__work ()
#13 0x081c344f in Pthread__work ()
#14 0xa60dab80 in start_thread () from /lib/libpthread.so.0
#15 0xa6051dee in clone () from /lib/libc.so.6
(gdb) i f 3
Stack frame at 0xa486ad2c:
 eip = 0xa5fe452a in __libc_fatal; saved eip 0xa5fea424
 called by frame at 0xa486ada4, caller of frame at 0xa486a6d4
 Arglist at 0xa486ad24, args:
 Locals at 0xa486ad24, Previous frame's sp is 0xa486ad2c
 Saved registers:
  ebx at 0xa486ad18, ebp at 0xa486ad24, esi at 0xa486ad1c, edi at 0xa486ad20, eip at 0xa486ad28
(gdb) x/10x 0xa486ad24
0xa486ad24:     0xa486ad9c      0xa5fea424      0x00000002      0xa60a23b4
0xa486ad34:     0xb731b448      0xa60a2428      0xa486ad87      0xa486ad80
0xa486ad44:     0x00000000      0xa486ad87
(gdb) x/s 0xa60a23b4
0xa60a23b4 <__libc_ptyname1+12237>:      "*** glibc detected *** %s: %s: 0x%s ***\n"
(gdb) x/s 0xb731b448
0xb731b448:      "/opt/isode/sbin/isode.eddy"
(gdb) x/s 0xa60a2428
0xa60a2428 <__libc_ptyname1+12353>:      "double free or corruption (fasttop)"
(gdb)                                                                           

This one looks like a double free vulnerability.

To reproduce:
[PROTOVER_SAMPLE_LDAP-1.0]$ ./run.py localhost 389 3102 1

Regards,
Evgeny Legerov
www.gleg.net

More information about the Dailydave mailing list