Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Exploits matter.

From: Alexander Sotirov <alex () sotirov net>
Date: Thu, 8 Oct 2009 12:11:42 -0400
On Thu, Oct 08, 2009 at 10:47:19AM +0200, Ilfak Guilfanov wrote:

Sorry for my ignorance, are NULL pointer dereference bugs exploitable today?


Hi Ilfak,

NULL pointer dereferences in userspace programs are generally not exploitable,
but in some rare cases they might be. For example, Mark Dowd published a Flash
exploit where a NULL pointer was used as the base of an array that was accessed
with an arbitrary array index. This turned the NULL pointer dereference into an
arbitrary memory write operation. Here's his detailed writeup about the exploit:
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf

This exploitation technique (and other interesting ones) were also described
in a really under-appreciated presentation by Gaƫl Delalleau at CanSecWest 2005:
http://cansecwest.com/core05/memory_vulns_delalleau.pdf

In the Linux kernel, NULL pointer dereferences are exploitable in many cases,
because the user can mmap memory at address 0 through a variety of techniques
and take control of the data structure the kernel is dereferencing. Brad
Spender has released multiple Linux local privilege escalation exploits
to prove this point. See this blog post for more info:
http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

Take care,
Alex

Attachment: _bin
Description: 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: