Full Disclosure mailing list archives
Re: Re: No Subject
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 21 Oct 2003 16:44:47 -0500
On Tue, 2003-10-21 at 11:42, Michal Zalewski wrote:
On low endian, you can change a pointer such as: 0x08049648 ...to be one of the following: 0x08049600 0x08040000 0x08000000
Ah, duh... that just didn't enter my brain since I was focused on the exploit at hand, which I believe doesn't not allow such a precise sniping.
Zero overwrites are a tricky business.
heh... hence the question if it really is exploitable.
It's not as much about looking at the code, but looking at the library malloc() implementation, and then figuring out what can be put on heap and where. I am way too lazy / too busy to give it much thought - I don't see any benefit from writing an exploit or proving (?) it is not exploitable.
That brings up a good point. If this issue is not exploitable on *BSD but on Linux due to a different implementation of memory handling, doesn't that mean that Linux is generally less secure than *BSD just for that reason? And if so, why haven't the Linux memory handling routines been fixed/strengthened?
At first sight, it does not seem to be exploitable on some platforms, on others, is uncertain at best. Quite frankly, I would expect the exploit to leak already, or be developed independently, so I am sort of skeptical.
I agree. So the lack of any such activity within a months is a good indicator for the non-exploitability (exploitivness? exploitivity?) of this thing.
If it is exploitable and there is an exploit, the public will sooner or later find out, don't force it if there is no good reason...
I agree that I rather not see an exploit being written. But I'm extremely curious if it can be done. My reason, again, is that the advisories came out with "*may* be exploitable" as Mark noted. I think security advisories should be more precise and accurate (I know it can't be done always, but hey, please try). When the advisories hit, especially from some organizations I don't want to name here, it sounded like FUD feeding. Everyone and their mother seems to get off on FUD and hype these days. I think we (as the security community) should do a better job in stating the facts and should strive to avoid FUD. I especially remember one notice that said that this issue is already widely exploited... errr... with a bug which doesn't seem to be exploitable, excuse me? That's the whole reason I got pissed off weeks ago, and is the reason I really would like to see an answer to the exploitability. Because if it isn't exploitable, and no exploit had been in use in the underground, then that would be a clear indication that certain folks flat out lie and spread FUD to their benefit. A dangerous precedent if we want the area of security to remain a serious business. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- No subject Pocjfr (Oct 13)
- Re: No subject Gregory A. Gilliss (Oct 13)
- <Possible follow-ups>
- No Subject mitch_hurrison (Oct 20)
- Re: No Subject Frank Knobbe (Oct 20)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Bradford Shedwick (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Paul Schmehl (Oct 21)
- Re: Re: No Subject Byron Copeland (Oct 21)
- Re: Re: No Subject Peter Busser (Oct 22)
- Re: No Subject Frank Knobbe (Oct 20)
- Linux (in)security (Was: Re: Re: No Subject) Peter Busser (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Bruce Ediger (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Darren Reed (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Gary Flynn (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Ron DuFresne (Oct 23)
- Re: Linux (in)security (Was: Re: Re: No Subject) Paul Schmehl (Oct 22)