Dailydave mailing list archives
Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Sat, 3 Mar 2007 18:32:35 +0100 (CET)
On Sat, 3 Mar 2007, Brad Spengler wrote:
Also, if there are any security historians on the list, I submit for your record-keeping what I believe to be the first public exploit for a null ptr dereference bug in the Linux kernel.
Historians, wait! Here, I have the same code dated 2001! Which is notable, because it actuallly predates the 2.6 kernel altogether! On a more serious note... null pointer _dereference_ ("following of") is almost never exploitable on modern platforms (unless you count 0x0+large_offset table element access), and this exploit is consistent with that assessment. What you have here is not a dereference of a null pointer (the kernel never tries to read/write *0x0), but rather, an opportunity to access a fun page of memory because of a missing 0x0 value check. Naming your post / exploit in such an alarmist way will only have folks report NULL ptrs in /bin/date as "EXTREMELY CRITICAL" as opposed to the usual "VERY CRITICAL" we're all accustomed to. Please don't ;-) /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Brad Spengler (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
- (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)