lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 04 Dec 2003 12:10:05 +0100
From: Stefan Esser <se@...iracy.de>
To: xenophi1e <oliver.lavery@...patico.ca>
Cc: bugtraq@...urityfocus.com
Subject: Re: [ANNOUNCE] glibc heap protection patch


xenophi1e wrote:

> This question seems more complex than 'Feel free to demonstrate me an 
> unlink exploit that works while my unlink macro is in place'. But I 
> have to admit my own ignorance here, I can't say for certain whether 
> an attacker who passes the test in your macro is left in a situation 
> where an exploit is possible.

Fact is my macro makes arbitrary pointer overwrites with unlink() 
impossible. The magic value approach just makes it harder. You need to 
guess a 32bit value. Even if this is totally random it is theoreticly 
possible to exploit the unlink() macro in that case. And do not forget 
the power of information leak exploits.

Just an example: The gamecube was hacked by an information leak exploit. 
A crc feature the Phantasy Star Online game allows to request checksums 
of arbitrary memory positions (and sizes).
So it was possible for the smart guy who did it, to create a complete 
memory dump from
remote. In that case your magic values are worthless...

Stefan Esser

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ