Dailydave mailing list archives
Re: Dangling pointers exploitation
From: jf <jf () danglingpointers net>
Date: Thu, 26 Jul 2007 01:17:31 +0000 (UTC)
All apologies, my intent is not to get into semantics, but rather to point out that thus far no one has presented an argument about anything new. If they really have a method for triggering some of these types of problems, then I will agree its something interesting, but I didn't get that impression from anything i've seen or heard, but rather I've heard what appears to be hype and propaganda by a reporter who either doesn't know what they're talking about, or can't properly communicate what they're talking about. If I'm wrong, then post-bh I'll say I'm wrong, but I don't think thats the case. On Wed, 25 Jul 2007, Thomas Ptacek wrote:
Date: Wed, 25 Jul 2007 12:19:04 -0500 From: Thomas Ptacek <tqbf () matasano com> To: jf <jf () danglingpointers net> Cc: ergosum () neurosecurity com, dailydave () lists immunitysec com Subject: Re: [Dailydave] Dangling pointers exploitation We're getting into a semantic argument I'm not interested in. The "class" of vulnerabilities I'm considering are "pointers that take what appears to be an unpredictable wild value, where attackers can influence either the value of the pointer or the memory the pointer points at". That class includes Halvar's stale stack frames, use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL iterator invalidations. I'm pretty sure we agree there are similarities here. I'm totally uninterested in who-invented-what. I'm very interested in new techniques to trigger this class of vulnerabilities. Which is what I told Dennis. =) On 7/25/07, jf <jf () danglingpointers net> wrote:Didnt halvar already talk about unitialized automatic/local variables? and how is a use-after-free condition any different than a double free (other than you get to skip the second free)? On Wed, 25 Jul 2007, Thomas Ptacek wrote:Date: Wed, 25 Jul 2007 12:02:32 -0500 From: Thomas Ptacek <tqbf () matasano com> To: jf <jf () danglingpointers net> Cc: ergosum () neurosecurity com, dailydave () lists immunitysec com Subject: Re: [Dailydave] Dangling pointers exploitation Unitialized automatic variables and use-after-free variables seem of-a-kind: you have a pointer who's value seems unpredictable but is in fact strongly influenced by the execution environment which is in turn often influenced by inputs and timing. On 7/25/07, jf <jf () danglingpointers net> wrote:Let me just qualify that I was talking about the whole class of wild-pointer bugs.how would it be any different than ptr+overflowed_offset/array[negative_index]/et cetera bugs? perhaps the guys found a new way of reliably exploiting a very specific form of dangling pointer bugs, but i dont see how it could possibly qualify as being a new class of vulns, nor can i think of anyone who has ever said a dangling pointer was a QA issue and not a security issue
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Dangling pointers exploitation ergosum (Jul 24)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
- Re: Dangling pointers exploitation jf (Jul 25)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
- Re: Dangling pointers exploitation jf (Jul 25)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
- Re: Dangling pointers exploitation jf (Jul 25)
- Re: Dangling pointers exploitation jf (Jul 25)
- Re: Dangling pointers exploitation Pusscat (Jul 25)
- Re: Dangling pointers exploitation Chris Rohlf (Jul 25)
- Re: Dangling pointers exploitation Matt (Jul 25)
- Re: Dangling pointers exploitation pageexec (Jul 25)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
- Re: Dangling pointers exploitation pageexec (Jul 25)
- Re: Dangling pointers exploitation Tyler Krpata (Jul 25)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)