lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031021091417.W86626@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Re: No Subject

On Mon, 20 Oct 2003, Frank Knobbe wrote:

> Right then. Perhaps that makes me a script kiddie. I just can not
> comprehend a case where an unknown area of the heap is overwritten with
> 0's causes a fault that is exploitable to the point of executing
> injected code. I mean, you don't inject code.

While I'd hate to take sides on the OpenSSH vulnerability, this alone is
not a problem. On little endian machines, other than overwriting (zeroing)
variables, you can also benefit from partial pointer overwrite, something
you really should be aware of before getting in such a flame war. By
zeroing least significant bytes of certain user pointers on the heap, or
by overwriting certain malloc structures, it is possible to trigger writes
to other, somewhat controlled areas of the heap whenever the pointer is
written or freed, spoof contents when it is read, etc.

This makes it (sometimes) possible to point the code to a buffer created
previously, for which you control the contents, and can follow the same
procedure, now controlling the entire pointer (or pursue other,
application-specific vectors), triggering writes to stack or such, at
which point, you are home.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-10-21 09:14 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ