Re: Re: No Subject

[Michal Zalewski <lcamtuf () ghettot org>]

On Mon, 20 Oct 2003, Frank Knobbe wrote:

> Right then. Perhaps that makes me a script kiddie. I just can not
> comprehend a case where an unknown area of the heap is overwritten with
> 0's causes a fault that is exploitable to the point of executing
> injected code. I mean, you don't inject code.

While I'd hate to take sides on the OpenSSH vulnerability, this alone is
not a problem. On little endian machines, other than overwriting (zeroing)
variables, you can also benefit from partial pointer overwrite, something
you really should be aware of before getting in such a flame war. By
zeroing least significant bytes of certain user pointers on the heap, or
by overwriting certain malloc structures, it is possible to trigger writes
to other, somewhat controlled areas of the heap whenever the pointer is
written or freed, spoof contents when it is read, etc.

This makes it (sometimes) possible to point the code to a buffer created
previously, for which you control the contents, and can follow the same
procedure, now controlling the entire pointer (or pursue other,
application-specific vectors), triggering writes to stack or such, at
which point, you are home.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-10-21 09:14 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html