Dailydave mailing list archives
Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 14 Mar 2007 14:48:23 -0000
[ forgot to send this reply last week, just wanted to wrap up the thread] On 06 March 2007 19:35, Brad Spengler wrote:
So why doesn't linux do like 'doze does, and permanently map a guard page at 0x0 in all user-spaces?What version of Windows are you using?
Anything except the '9x series.
Maybe you're getting confused with the behavior that giving a NULL address as a hint to any allocation/mapping function is a special case within the OS to select its own address.
Nope, I'm getting confused with the behaviour that 'doze doesn't map a guard page, it just leaves the address *un*mapped (in both cases, to protect against NULL pointer derefs in user mode). Shoulda checked before I posted!
Luckily though, the address passed in is rounded down internally, so giving an address of 1 will let you allocate at the 0 address. Here's some code to execute as an unprivileged user:
Couldn't get that to compile immediately, but I'll take your word for it.
it'll verify a RWX allocation (0x40) and that the byte at 0x00000000 contains 0x10. If there were a permanently mapped guard page at 0, stuff like ntvdm wouldn't work. These bugs are exploitable in Windows.
Clearly so. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns, (continued)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
- Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
- Message not available
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)