Dailydave mailing list archives

Re: Dangling pointers exploitation

From: "Thomas Ptacek" <tqbf () matasano com>
Date: Wed, 25 Jul 2007 12:19:04 -0500

We're getting into a semantic argument I'm not interested in. The
"class" of vulnerabilities I'm considering are "pointers that take
what appears to be an unpredictable wild value, where attackers can
influence either the value of the pointer or the memory the pointer
points at". That class includes Halvar's stale stack frames,
use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL
iterator invalidations.

I'm pretty sure we agree there are similarities here. I'm totally
uninterested in who-invented-what. I'm very interested in new
techniques to trigger this class of vulnerabilities. Which is what I
told Dennis. =)

On 7/25/07, jf <jf () danglingpointers net> wrote:

Didnt halvar already talk about unitialized automatic/local variables? and
how is a use-after-free condition any different than a double free (other than you
get to skip the second free)?



On Wed, 25 Jul 2007, Thomas Ptacek wrote:

Date: Wed, 25 Jul 2007 12:02:32 -0500
From: Thomas Ptacek <tqbf () matasano com>
To: jf <jf () danglingpointers net>
Cc: ergosum () neurosecurity com, dailydave () lists immunitysec com
Subject: Re: [Dailydave] Dangling pointers exploitation

Unitialized automatic variables and use-after-free variables seem
of-a-kind: you have a pointer who's value seems unpredictable but is
in fact strongly influenced by the execution environment which is in
turn often influenced by inputs and timing.

On 7/25/07, jf <jf () danglingpointers net> wrote:

Let me just qualify that I was talking about the whole class of
wild-pointer bugs.


how would it be any different than
ptr+overflowed_offset/array[negative_index]/et cetera bugs?

perhaps the guys found a new way of reliably exploiting a very specific
form of dangling pointer bugs, but i dont see how it could possibly
qualify as being a new class of vulns, nor can i think of anyone who has
ever said a dangling pointer was a QA issue and not a security issue



-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Dangling pointers exploitation ergosum (Jul 24)
- Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
  - Re: Dangling pointers exploitation jf (Jul 25)
    - Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
    - Re: Dangling pointers exploitation jf (Jul 25)
    - Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
    - Re: Dangling pointers exploitation jf (Jul 25)
    - Re: Dangling pointers exploitation Pusscat (Jul 25)
    - Re: Dangling pointers exploitation Chris Rohlf (Jul 25)
    - Re: Dangling pointers exploitation Matt (Jul 25)
    - Re: Dangling pointers exploitation pageexec (Jul 25)
    - Re: Dangling pointers exploitation Thomas Ptacek (Jul 25)
    - Re: Dangling pointers exploitation pageexec (Jul 25)
    - Re: Dangling pointers exploitation Tyler Krpata (Jul 25)
- Re: Dangling pointers exploitation Alexander Sotirov (Jul 25)