Full Disclosure mailing list archives
Re: Re: No Subject
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Tue, 21 Oct 2003 09:21:26 +0200 (CEST)
On Mon, 20 Oct 2003, Frank Knobbe wrote:
Right then. Perhaps that makes me a script kiddie. I just can not comprehend a case where an unknown area of the heap is overwritten with 0's causes a fault that is exploitable to the point of executing injected code. I mean, you don't inject code.
While I'd hate to take sides on the OpenSSH vulnerability, this alone is not a problem. On little endian machines, other than overwriting (zeroing) variables, you can also benefit from partial pointer overwrite, something you really should be aware of before getting in such a flame war. By zeroing least significant bytes of certain user pointers on the heap, or by overwriting certain malloc structures, it is possible to trigger writes to other, somewhat controlled areas of the heap whenever the pointer is written or freed, spoof contents when it is read, etc. This makes it (sometimes) possible to point the code to a buffer created previously, for which you control the contents, and can follow the same procedure, now controlling the entire pointer (or pursue other, application-specific vectors), triggering writes to stack or such, at which point, you are home. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-10-21 09:14 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- No subject Pocjfr (Oct 13)
- Re: No subject Gregory A. Gilliss (Oct 13)
- <Possible follow-ups>
- No Subject mitch_hurrison (Oct 20)
- Re: No Subject Frank Knobbe (Oct 20)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Bradford Shedwick (Oct 21)
- Re: Re: No Subject Frank Knobbe (Oct 21)
- Re: Re: No Subject Michal Zalewski (Oct 21)
- Re: Re: No Subject Paul Schmehl (Oct 21)
- Re: Re: No Subject Byron Copeland (Oct 21)
- Re: Re: No Subject Peter Busser (Oct 22)
- Re: No Subject Frank Knobbe (Oct 20)
- Linux (in)security (Was: Re: Re: No Subject) Peter Busser (Oct 22)
- Re: Linux (in)security (Was: Re: Re: No Subject) Bruce Ediger (Oct 22)