Re: Exploits matter.

[Jesse Gough <jesse_gough () symantec com>]

On Thu, 08 Oct 2009, Alexander Sotirov wrote:

> On Thu, Oct 08, 2009 at 10:47:19AM +0200, Ilfak Guilfanov wrote:
> > Sorry for my ignorance, are NULL pointer dereference bugs exploitable today?
>
> Hi Ilfak,
>
> NULL pointer dereferences in userspace programs are generally not exploitable,
> but in some rare cases they might be. For example, Mark Dowd published a Flash
> exploit where a NULL pointer was used as the base of an array that was accessed
> with an arbitrary array index. This turned the NULL pointer dereference into an
> arbitrary memory write operation. Here's his detailed writeup about the exploit:
> http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
>
> This exploitation technique (and other interesting ones) were also described
> in a really under-appreciated presentation by Gaël Delalleau at CanSecWest 2005:
> http://cansecwest.com/core05/memory_vulns_delalleau.pdf
>
> In the Linux kernel, NULL pointer dereferences are exploitable in many cases,
> because the user can mmap memory at address 0 through a variety of techniques
> and take control of the data structure the kernel is dereferencing. Brad
> Spender has released multiple Linux local privilege escalation exploits
> to prove this point. See this blog post for more info:
> http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html
>
> Take care,
> Alex

There is also Barnaby Jack's paper on exploiting NULL derefs on ARM and
XScale. Conveniently, address 0 holds the exception vector table, which
turns out to be a pretty convenient place to write to :) 

http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf

Another example against Internet Explorer from a few years ago:
http://www.uninformed.org/?v=4&a=5&t=txt

There is a bit of a semantic issue. First of all, consider that memory
address 0x00000000 is technically just as valid of a memory address
as 0xbfffffff. Its not as if there is a missing transistor on your DRAM
chips at the first addressable position. With virtual memory abstracting
you anyway, there is even less reason to accept this as truth and
equating 0x00000000 with NULL. If your operating environment imposes
this restriction on you, it is purely artificial. Furthermore, there is
no reason to accept that such a restriction could not be subverted or
removed.

So I suppose technically speaking, no, NULL dereferences are not
exploitable. However, don't assume address 0 means NULL, because an
address 0 dereference could be exploitable.

But, that is a lie too, because if your operating environment does have
a concept of a NULL pointer, who is to say that skape hasn't already
changed the exception handler that a null dereference will trigger, and make
it do something mean :) 

Oddly, null pointer bugs seemingly retained 'unexploitable' status for
over a decade after the first public exploit:

http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c


-JG

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave