Dailydave mailing list archives
Re: Exploits matter.
From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 8 Oct 2009 12:11:42 -0400
On Thu, Oct 08, 2009 at 10:47:19AM +0200, Ilfak Guilfanov wrote:
Sorry for my ignorance, are NULL pointer dereference bugs exploitable today?
Hi Ilfak, NULL pointer dereferences in userspace programs are generally not exploitable, but in some rare cases they might be. For example, Mark Dowd published a Flash exploit where a NULL pointer was used as the base of an array that was accessed with an arbitrary array index. This turned the NULL pointer dereference into an arbitrary memory write operation. Here's his detailed writeup about the exploit: http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf This exploitation technique (and other interesting ones) were also described in a really under-appreciated presentation by Gaƫl Delalleau at CanSecWest 2005: http://cansecwest.com/core05/memory_vulns_delalleau.pdf In the Linux kernel, NULL pointer dereferences are exploitable in many cases, because the user can mmap memory at address 0 through a variety of techniques and take control of the data structure the kernel is dereferencing. Brad Spender has released multiple Linux local privilege escalation exploits to prove this point. See this blog post for more info: http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html Take care, Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Exploits matter., (continued)
- Re: Exploits matter. Matthew Wollenweber (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 22)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Message not available
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Tom Parker (Oct 08)
- Re: Exploits matter. alexm (Oct 08)
- Re: Exploits matter. vincent hinderer (Oct 08)
- Re: Exploits matter. security curmudgeon (Oct 08)
- Re: Exploits matter. Ilfak Guilfanov (Oct 08)
- Re: Exploits matter. Alexander Sotirov (Oct 08)
- Re: Exploits matter. Jesse Gough (Oct 08)
- Re: Exploits matter. Aaron (Oct 08)