Re: Denial of Service?

[don bailey <don.bailey () gmail com>]

Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Reading through today's list of kernel bugs from Ubuntu I noticed a
> lot of "denial of services". Are these really denial of services? Can
> we get an exploitability index explanation for these? :>

I've noticed a fairly strong trend over the past couple years for
organizations to quickly classify kernel bugs as "denial of service"
vulnerabilities. I've found the reason behind this isn't so much due
to research proving that these bugs can only illicit a DoS, but due
to a lack of due diligence or skill on the part of the researcher.

Though I'm sure many of these analysts are skilled individuals, many
times bugs are misclassified due to vectors not investigated. The NULL
page technique is one such missteps. While I have not investigated
these particular bugs, one would conjecture that the ability to remap a
driver's memory page(s) would lead to more than a simple crash of the
kernel. After researching several recent "zero day" bugs in Linux file
system code, I'd suspect that the HFS+ bug can do more than crash the
system as well.

The SCM_RIGHTS bug sounds suspiciously like something a page injection
strategy might be perfect for, though the researcher that analyzed the
i2c driver seems to have considered NULL page injection.

I think it's all in the flavor of the researcher you're dealing with
since there's no real protocol or template for auditing code. I'm sure
many of your readers can agree that while may give those with a bit
of knowledge the edge, it leaves the general public often misinformed
when it comes to who to trust with their 10,000+ line code audit.

D

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave