Full Disclosure mailing list archives
Re: #WorldPenguinDay or this cant be right, can it?
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Fri, 1 May 2015 06:51:43 -0700
On 1 May 2015 at 00:11, PIN <zero () asac co> wrote:
It sounds like you're asking "If I can learn an address, have I defeated ASLR", and the answer is usually yes.Really? Because leaking a heap address in windows, openbsd, etc doesn't yield a full collapse of all loaded modules randomization given the preconditions; I'm asking that it's not just my box exhibiting this behavior- which is a long story why it must just be mine.
That wasn't what I said.
Well, you are somewhat missing the gravity here. If this is generally reproducible, you don't need the address to leak, you just need a series of arithmetic operations to land you at a fixed offset within the target module. no read back requisite.
Sure, If code with knowledge of an address is willing to act as an oracle, then ASLR is not useful. This is really just an indirect (and unlikely) way of leaking an address though.
I'm fairly positive that no ASLR scheme is intended to entirely and totally collapse given a single address that you don't necessarily even need to know. Thus I find it hard to believe this is the case.
Well, if you know in advance which address to leak you can arrange for it to be a useless one, it would usually have to be MMAP_FIXED and be sanitized (think KUSER_SHARED_DATA on Windows or the vsyscall page on Linux) so as not to weaken ASLR. That isn't usually the case though, so the scheme will usually be defeated.
You don't usually run untrusted python, > so python's id() isn't a bug - but you do run untrusted JavaScript.Really? Because your employer does exactly that.
Creepy. I said "usually".
The bigger question was the behavior, not python. It seems a practical extension of the spy in the sandbox stuff to potentially grab enough of an address to leverage this in javascript, although code is not yet forthcoming there. However giving the cache line and physical to virtual address scheme mappings, this seems likely.
Well, good luck. Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: #WorldPenguinDay or this cant be right, can it? Tavis Ormandy (Apr 30)
- Re: #WorldPenguinDay or this cant be right, can it? PIN (May 01)
- Re: #WorldPenguinDay or this cant be right, can it? Tavis Ormandy (May 01)
- Re: #WorldPenguinDay or this cant be right, can it? PIN (May 01)
- Re: #WorldPenguinDay or this cant be right, can it? Tavis Ormandy (May 01)
- Re: #WorldPenguinDay or this cant be right, can it? PIN (May 01)