Re: Dangling pointers exploitation

[jf <jf () danglingpointers net>]

All apologies, my intent is not to get into semantics, but rather to point
out that thus far no one has presented an argument about anything new.
If they really have a method for triggering some of these types of problems,
then I will agree its something interesting, but I didn't get that
impression from anything i've seen or heard, but rather I've heard what
appears to be hype and propaganda by a reporter who either doesn't know
what they're talking about, or can't properly communicate what they're
talking about.

If I'm wrong, then post-bh I'll say I'm wrong, but I don't think thats the
case.



On Wed, 25 Jul 2007, Thomas Ptacek wrote:

> Date: Wed, 25 Jul 2007 12:19:04 -0500
> From: Thomas Ptacek <tqbf () matasano com>
> To: jf <jf () danglingpointers net>
> Cc: ergosum () neurosecurity com, dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Dangling pointers exploitation
>
> We're getting into a semantic argument I'm not interested in. The
> "class" of vulnerabilities I'm considering are "pointers that take
> what appears to be an unpredictable wild value, where attackers can
> influence either the value of the pointer or the memory the pointer
> points at". That class includes Halvar's stale stack frames,
> use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL
> iterator invalidations.
>
> I'm pretty sure we agree there are similarities here. I'm totally
> uninterested in who-invented-what. I'm very interested in new
> techniques to trigger this class of vulnerabilities. Which is what I
> told Dennis. =)
>
> On 7/25/07, jf <jf () danglingpointers net> wrote:
> > Didnt halvar already talk about unitialized automatic/local variables? and
> > how is a use-after-free condition any different than a double free (other
> > than you
> > get to skip the second free)?
> >
> >
> >
> > On Wed, 25 Jul 2007, Thomas Ptacek wrote:
> >
> > > Date: Wed, 25 Jul 2007 12:02:32 -0500
> > > From: Thomas Ptacek <tqbf () matasano com>
> > > To: jf <jf () danglingpointers net>
> > > Cc: ergosum () neurosecurity com, dailydave () lists immunitysec com
> > > Subject: Re: [Dailydave] Dangling pointers exploitation
> > >
> > > Unitialized automatic variables and use-after-free variables seem
> > > of-a-kind: you have a pointer who's value seems unpredictable but is
> > > in fact strongly influenced by the execution environment which is in
> > > turn often influenced by inputs and timing.
> > >
> > > On 7/25/07, jf <jf () danglingpointers net> wrote:
> > > > > Let me just qualify that I was talking about the whole class of
> > > > > wild-pointer bugs.
> > > >
> > > > how would it be any different than
> > > > ptr+overflowed_offset/array[negative_index]/et cetera bugs?
> > > >
> > > > perhaps the guys found a new way of reliably exploiting a very specific
> > > > form of dangling pointer bugs, but i dont see how it could possibly
> > > > qualify as being a new class of vulns, nor can i think of anyone who has
> > > > ever said a dangling pointer was a QA issue and not a security issue
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave