[Dailydave] Dangling pointers exploitation
Thomas Ptacek
tqbf at matasano.com
Wed Jul 25 13:19:04 EDT 2007
We're getting into a semantic argument I'm not interested in. The
"class" of vulnerabilities I'm considering are "pointers that take
what appears to be an unpredictable wild value, where attackers can
influence either the value of the pointer or the memory the pointer
points at". That class includes Halvar's stale stack frames,
use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL
iterator invalidations.
I'm pretty sure we agree there are similarities here. I'm totally
uninterested in who-invented-what. I'm very interested in new
techniques to trigger this class of vulnerabilities. Which is what I
told Dennis. =)
On 7/25/07, jf <jf at danglingpointers.net> wrote:
> Didnt halvar already talk about unitialized automatic/local variables? and
> how is a use-after-free condition any different than a double free (other than you
> get to skip the second free)?
>
>
>
> On Wed, 25 Jul 2007, Thomas Ptacek wrote:
>
> > Date: Wed, 25 Jul 2007 12:02:32 -0500
> > From: Thomas Ptacek <tqbf at matasano.com>
> > To: jf <jf at danglingpointers.net>
> > Cc: ergosum at neurosecurity.com, dailydave at lists.immunitysec.com
> > Subject: Re: [Dailydave] Dangling pointers exploitation
> >
> > Unitialized automatic variables and use-after-free variables seem
> > of-a-kind: you have a pointer who's value seems unpredictable but is
> > in fact strongly influenced by the execution environment which is in
> > turn often influenced by inputs and timing.
> >
> > On 7/25/07, jf <jf at danglingpointers.net> wrote:
> > > > Let me just qualify that I was talking about the whole class of
> > > > wild-pointer bugs.
> > >
> > > how would it be any different than
> > > ptr+overflowed_offset/array[negative_index]/et cetera bugs?
> > >
> > > perhaps the guys found a new way of reliably exploiting a very specific
> > > form of dangling pointer bugs, but i dont see how it could possibly
> > > qualify as being a new class of vulns, nor can i think of anyone who has
> > > ever said a dangling pointer was a QA issue and not a security issue
> > >
> >
> >
> >
>
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
More information about the Dailydave
mailing list