Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Two MSIE 6.0/7.0 NULL pointer crashes
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sun, 24 Jan 2010 01:05:06 +0100 (CET)

On Thu, 21 Jan 2010, Dan Kaminsky wrote:

But imagine an oldschool application drenched in strcpy, where you've
lost context of the length of that buffer five functions ago.

When you discover you are riding a dead horse, the best strategy is to
dismount. When you discover the program is designed too badly to be 
maintained, the best strategy is to rewrite it.

Or imagine the modern browser bug, where you're going up against an
attacker who *by design* has a Turing complete capability to manipulate
your object tree, complete with control over time.

Such an attacker must be assumed to possess hyperturing computing power
because an exploit can communicate with an oracle.

But I do not think this case is much different from the previous one:  
most, if not all, of those bugs are elementary integrity violations (not
prevented because the boundary between trusted and untrusted data is not
clear enough) and race conditions (multithreading with locks is an
idea on the same level as strcpy).

Or, worst of all, take a design flaw like Marsh Ray's TLS
renegotiation bug.

One needs to pay utmost attention to the design and its correctness.
This has been known for decades, hasn't it?

(An interesting finding regarding the renegotiation issue: People
analyzing the protocol in the past had spent a lot of energy on its
individual parts, esp. the handshake, and very little work had been done
on the protocol as a whole.)

c) The system needs to work entirely the same after.

Not entirely. You want to get rid of the vulnerability.

Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]