osdir.com
mailing list archive

Subject: Re: Dangling pointers exploitation - msg#00064

List: security.dailydave

Date: Prev Next Index Thread: Prev Next Index
Didnt halvar already talk about unitialized automatic/local variables? and
how is a use-after-free condition any different than a double free (other than
you
get to skip the second free)?



On Wed, 25 Jul 2007, Thomas Ptacek wrote:

> Date: Wed, 25 Jul 2007 12:02:32 -0500
> From: Thomas Ptacek <tqbf@xxxxxxxxxxxx>
> To: jf <jf@xxxxxxxxxxxxxxxxxxxx>
> Cc: ergosum@xxxxxxxxxxxxxxxxx, dailydave@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Dailydave] Dangling pointers exploitation
>
> Unitialized automatic variables and use-after-free variables seem
> of-a-kind: you have a pointer who's value seems unpredictable but is
> in fact strongly influenced by the execution environment which is in
> turn often influenced by inputs and timing.
>
> On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote:
> > > Let me just qualify that I was talking about the whole class of
> > > wild-pointer bugs.
> >
> > how would it be any different than
> > ptr+overflowed_offset/array[negative_index]/et cetera bugs?
> >
> > perhaps the guys found a new way of reliably exploiting a very specific
> > form of dangling pointer bugs, but i dont see how it could possibly
> > qualify as being a new class of vulns, nor can i think of anyone who has
> > ever said a dangling pointer was a QA issue and not a security issue
> >
>
>
>


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: Dangling pointers exploitation

Unitialized automatic variables and use-after-free variables seem of-a-kind: you have a pointer who's value seems unpredictable but is in fact strongly influenced by the execution environment which is in turn often influenced by inputs and timing. On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > > Let me just qualify that I was talking about the whole class of > > wild-pointer bugs. > > how would it be any different than > ptr+overflowed_offset/array[negative_index]/et cetera bugs? > > perhaps the guys found a new way of reliably exploiting a very specific > form of dangling pointer bugs, but i dont see how it could possibly > qualify as being a new class of vulns, nor can i think of anyone who has > ever said a dangling pointer was a QA issue and not a security issue > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log

Next Message by Date: click to view message preview

Re: Dangling pointers exploitation

We're getting into a semantic argument I'm not interested in. The "class" of vulnerabilities I'm considering are "pointers that take what appears to be an unpredictable wild value, where attackers can influence either the value of the pointer or the memory the pointer points at". That class includes Halvar's stale stack frames, use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL iterator invalidations. I'm pretty sure we agree there are similarities here. I'm totally uninterested in who-invented-what. I'm very interested in new techniques to trigger this class of vulnerabilities. Which is what I told Dennis. =) On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > Didnt halvar already talk about unitialized automatic/local variables? and > how is a use-after-free condition any different than a double free (other > than you > get to skip the second free)? > > > > On Wed, 25 Jul 2007, Thomas Ptacek wrote: > > > Date: Wed, 25 Jul 2007 12:02:32 -0500 > > From: Thomas Ptacek <tqbf@xxxxxxxxxxxx> > > To: jf <jf@xxxxxxxxxxxxxxxxxxxx> > > Cc: ergosum@xxxxxxxxxxxxxxxxx, dailydave@xxxxxxxxxxxxxxxxxxxxx > > Subject: Re: [Dailydave] Dangling pointers exploitation > > > > Unitialized automatic variables and use-after-free variables seem > > of-a-kind: you have a pointer who's value seems unpredictable but is > > in fact strongly influenced by the execution environment which is in > > turn often influenced by inputs and timing. > > > > On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Let me just qualify that I was talking about the whole class of > > > > wild-pointer bugs. > > > > > > how would it be any different than > > > ptr+overflowed_offset/array[negative_index]/et cetera bugs? > > > > > > perhaps the guys found a new way of reliably exploiting a very specific > > > form of dangling pointer bugs, but i dont see how it could possibly > > > qualify as being a new class of vulns, nor can i think of anyone who has > > > ever said a dangling pointer was a QA issue and not a security issue > > > > > > > > > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log

Previous Message by Thread: click to view message preview

Re: Dangling pointers exploitation

Unitialized automatic variables and use-after-free variables seem of-a-kind: you have a pointer who's value seems unpredictable but is in fact strongly influenced by the execution environment which is in turn often influenced by inputs and timing. On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > > Let me just qualify that I was talking about the whole class of > > wild-pointer bugs. > > how would it be any different than > ptr+overflowed_offset/array[negative_index]/et cetera bugs? > > perhaps the guys found a new way of reliably exploiting a very specific > form of dangling pointer bugs, but i dont see how it could possibly > qualify as being a new class of vulns, nor can i think of anyone who has > ever said a dangling pointer was a QA issue and not a security issue > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log

Next Message by Thread: click to view message preview

Re: Dangling pointers exploitation

We're getting into a semantic argument I'm not interested in. The "class" of vulnerabilities I'm considering are "pointers that take what appears to be an unpredictable wild value, where attackers can influence either the value of the pointer or the memory the pointer points at". That class includes Halvar's stale stack frames, use-after-free, Dowd's Sendmail exception-safety hole, and C++ STL iterator invalidations. I'm pretty sure we agree there are similarities here. I'm totally uninterested in who-invented-what. I'm very interested in new techniques to trigger this class of vulnerabilities. Which is what I told Dennis. =) On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > Didnt halvar already talk about unitialized automatic/local variables? and > how is a use-after-free condition any different than a double free (other > than you > get to skip the second free)? > > > > On Wed, 25 Jul 2007, Thomas Ptacek wrote: > > > Date: Wed, 25 Jul 2007 12:02:32 -0500 > > From: Thomas Ptacek <tqbf@xxxxxxxxxxxx> > > To: jf <jf@xxxxxxxxxxxxxxxxxxxx> > > Cc: ergosum@xxxxxxxxxxxxxxxxx, dailydave@xxxxxxxxxxxxxxxxxxxxx > > Subject: Re: [Dailydave] Dangling pointers exploitation > > > > Unitialized automatic variables and use-after-free variables seem > > of-a-kind: you have a pointer who's value seems unpredictable but is > > in fact strongly influenced by the execution environment which is in > > turn often influenced by inputs and timing. > > > > On 7/25/07, jf <jf@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Let me just qualify that I was talking about the whole class of > > > > wild-pointer bugs. > > > > > > how would it be any different than > > > ptr+overflowed_offset/array[negative_index]/et cetera bugs? > > > > > > perhaps the guys found a new way of reliably exploiting a very specific > > > form of dangling pointer bugs, but i dont see how it could possibly > > > qualify as being a new class of vulns, nor can i think of anyone who has > > > ever said a dangling pointer was a QA issue and not a security issue > > > > > > > > > > -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by