Full Disclosure mailing list archives
Re: No Subject (re: openssh exploit code?)
From: "Gregory A. Gilliss" <ggilliss () netpublishing com>
Date: Mon, 20 Oct 2003 17:19:27 -0700
Hi, Maybe I missed something here... I'm an assembler jockey from BITD and I know a few things about alloc/ calloc/malloc and heaps and stacks etc. So what's the key, may I ask, to this heap exploit that was the origin of this thread? Heap, as you know, is memory from which blocks are dynamically allocated. Ideally (although not always actually) heap memory is allocated, used, freed, and possibly reused or else the OS gets it back and can provide it to another process. Now, in many cases that memory does not get scrubbed from one process to another, which is why people are urged to bcopy/memcpy() the allocated memory so that it is transmuted into a known state. Technically no matter what code you put in the heap space, unless the OS does something executable with it (and in privileged mode of course) there is nothing that user space code can do that would elevate privileges. BTW, my understanding is that the mechanism works the same regardless of big/little endian, and I've done it on IBM mainframes, VAXen, and Intel chips... So, can one of you pls point me back at the message where the technical part of this heap 'sploit is discussed? Thanx. G On or about 2003.10.20 16:18:05 +0000, mitch_hurrison () ziplip com (mitch_hurrison () ziplip com) said:
Hi Paul,So there's the 1% l33ts like you, and then there's the 99% of the human populace that has other things to do besides squirrel around with code. I get it.How does my "squirreling around with code" all day bare relevance to the points I put forward? If anything you as an admin should be happy noone has been foolish enough to release an exploit en-masse no? I chose this life and I chose to commit myself to the research I do. I work hard at it and I don't think releasing exploit code is a justifiable action in this day and age. Then you come wobbling out of the woodwork to muster up some obscure insult about me being a "code monkey"? Very classy Paul.
<SNIP> -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: greg () gilliss com Computer Security ICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 20)
- Re: No Subject (re: openssh exploit code?) Gregory A. Gilliss (Oct 20)
- Re: No Subject (re: openssh exploit code?) Paul Schmehl (Oct 20)
- Re: No Subject (re: openssh exploit code?) security snot (Oct 21)
- Re: No Subject (re: openssh exploit code?) John Sage (Oct 21)
- Re: No Subject (re: openssh exploit code?) madsaxon (Oct 21)
- Re: No Subject (re: openssh exploit code?) Paul Schmehl (Oct 20)
- Re: No Subject (re: openssh exploit code?) Gregory A. Gilliss (Oct 20)
- <Possible follow-ups>
- Re: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Anders B Jansson (Oct 21)
- Re: No Subject (re: openssh exploit code?) S . f . Stover (Oct 21)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)
- Re: No Subject (re: openssh exploit code?) morning_wood (Oct 21)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)