|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Pusscat (pusscat
metasploit.com)
Date: Wed Jul 25 2007 - 12:51:41 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Didn't halvar give a memory painting talk on exploiting this kind of
uninitialized/"dangling" variable bug?
~ Puss
-----Original Message-----
From: dailydave-bounceslists.immunitysec.com
[mailto:dailydave-bounceslists.immunitysec.com] On Behalf Of Thomas Ptacek
Sent: Wednesday, July 25, 2007 1:03 PM
To: jf
Cc: dailydavelists.immunitysec.com
Subject: Re: [Dailydave] Dangling pointers exploitation
Unitialized automatic variables and use-after-free variables seem
of-a-kind: you have a pointer who's value seems unpredictable but is
in fact strongly influenced by the execution environment which is in
turn often influenced by inputs and timing.
On 7/25/07, jf <jfdanglingpointers.net> wrote:
> > Let me just qualify that I was talking about the whole class of
> > wild-pointer bugs.
>
> how would it be any different than
> ptr+overflowed_offset/array[negative_index]/et cetera bugs?
>
> perhaps the guys found a new way of reliably exploiting a very specific
> form of dangling pointer bugs, but i dont see how it could possibly
> qualify as being a new class of vulns, nor can i think of anyone who has
> ever said a dangling pointer was a QA issue and not a security issue
>
--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]