On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote: [..] > While I'd love to see an exploit from a purely academic perspective, > it doesn't appear that this is the type of bug where exploitation is > going to be reliable enough to support a worm. The reference counter > in question is most likely 32 bits, but even giving the benefit of the > doubt and saying it's a 16-bit refcount, that's still 2^16 events > (probably receiving a certain UDP packet) that need to be triggered > precisely in order to cause a refcount overflow and then trigger a > remote kernel use-after-free condition, which wouldn't be trivial to > exploit even by itself. On an unreliable network like the Internet, > it seems unlikely that the kind of traffic volume required to trigger > this bug could be generated without dropping a single packet. > Reliable DoS seems more likely though.
I would love to hear about results running this exploit/PoC/whatever against a xBSD TCP/IP stack. Microsoft Windows TCP/IP stack looks so BSDish to me since Windows Vista. But that's probably because they "rewrote" it completely at that time (with integration of their "new" IPv6 stack also). Joke: "Chuck Norris can exploit sockets that aren't even listening." -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Senior Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
