Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dangling pointers exploitation

From: "Pusscat" <pusscat () metasploit com>
Date: Wed, 25 Jul 2007 13:51:41 -0400
Didn't halvar give a memory painting talk on exploiting this kind of
uninitialized/"dangling" variable bug?

~ Puss


-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Thomas Ptacek
Sent: Wednesday, July 25, 2007 1:03 PM
To: jf
Cc: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Dangling pointers exploitation

Unitialized automatic variables and use-after-free variables seem
of-a-kind: you have a pointer who's value seems unpredictable but is
in fact strongly influenced by the execution environment which is in
turn often influenced by inputs and timing.

On 7/25/07, jf <jf () danglingpointers net> wrote:

Let me just qualify that I was talking about the whole class of
wild-pointer bugs.


how would it be any different than
ptr+overflowed_offset/array[negative_index]/et cetera bugs?

perhaps the guys found a new way of reliably exploiting a very specific
form of dangling pointer bugs, but i dont see how it could possibly
qualify as being a new class of vulns, nor can i think of anyone who has
ever said a dangling pointer was a QA issue and not a security issue




-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: