Bugtraq mailing list archives
Re: [ANNOUNCE] glibc heap protection patch
From: Stefan Esser <se () nopiracy de>
Date: Wed, 03 Dec 2003 14:01:39 +0100
William Robertson wrote:
This is true in the case of the fd and bk pointers, and in fact this is one of the checks that dlmalloc's debugging code performs. However, as we also demonstrated in the paper, you are still open to other heap-related attacks, such as overwriting size fields and setting up fake chunk headers. So, unfortunately I don't think that check alone is sufficient.
The last time I checked there was no such check in the unlink macro (no matter if debug mode or not). Overwriting size fields and setting up fake chunk headers are the standard way to exploit malloc()/free() structures. And you should rethink about my unlink macro. It perfectly stops ALL heap attacks that try to make use of the unlink macro (and this are the most out there). I know that modifying unlink does not protect against frontlink attacks. But most heap exploiters do not even know that there is anything else than unlink. I never said that the unlink macro is the ultimate solution to all heap problems, but it is certainly securer to check the pointers on unlink than protecting it only with magic numbers. The best solution would be a combination of both.
Ohh btw... Feel free to demonstrate me an unlink exploit that works while my unlink macro is in place... In the last two years I nearly only concentrated on heap exploits on a various number of platforms. glibc/bsd/solaris/windows and I even exploited the heap on XBOX with my dashboard-font exploit. So I very much doubt that my statement was incorrect.
Stefan Esser
Current thread:
- [ANNOUNCE] glibc heap protection patch William Robertson (Dec 01)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Eugene Tsyrklevich (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Han Boetes (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch Adam Shostack (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Jim Knoble (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Message not available
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 04)
- <Possible follow-ups>
- Re: [ANNOUNCE] glibc heap protection patch xenophi1e (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Troed SĂ„ngberg (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 04)