[Dailydave] OpenBSD icmp6 overflow
Joel Eriksson
je-dailydave at bitnux.com
Wed Mar 14 19:59:28 EDT 2007
On Wed, Mar 14, 2007 at 03:31:16PM +0100, Sebastian Krahmer wrote:
>
> you probably know about
> http://www.coresecurity.com/?action=item&id=1703
>
> the description of how to exploit it sounds
> straight forward, so I wonder how this could
> be missed at the first look ;-)
My thoughts exactly. ;) Exploiting mbuf overflows is not exactly rocket
science (and no, this is not the first of its kind), especially not for
someone familiar with the code base, as I assume the OpenBSD developers
to be.
The possible mirrored overwrite should be obvious to anyone realizing
that mbufs are stored in a double linked list and the very convenient
ext_free function pointer to anyone bothering to read the source. ;)
Although the use of macros makes it a bit tedious..
(m_free -> MFREE -> _MEXTREMOVE)
> regards,
> Sebastian
--
Best Regards,
Joel Eriksson
CTO Bitsec
More information about the Dailydave
mailing list