Dailydave mailing list archives

Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns

From: TINNES Julien RD-MAPS-ISS <julien.tinnes () francetelecom com>
Date: Mon, 05 Mar 2007 16:05:36 +0100

Michal Zalewski a écrit :

On Mon, 5 Mar 2007, TINNES Julien RD-MAPS-ISS wrote:

That's exactly my point, you're not exploiting a userland application,
so the paradigm is different, and _YOU_ can map page 0 because you've
already got arbitrary code execution.


Julien,

I think we're getting splitting hairs over semantics here, and this list
is probably not a place to do this. If you wish, we might continue
off-list. It's my fault, of course, for starting this, but I hoped my post
to be taken more as a weak joke than a beginning of a flame war.

I do believe that the problem here arises from a missing check in kernel,
and not from the fact that straight dereference of null pointers in
kernel- or user-space is otherwise exploitable under normal conditions.
But that's just my opnion, and not even a particularly strong one.


I don't want to go into a flame war either, and I apologize if I sound
like I want.
However, I don't think this is off-topic, because the point is precisely
that, while they're not most of the time exploitable when lying in
user-space applications, null pointers dereferences are often
exploitable when they are in kernel (at least when in process context
and you can control that process).

This is a subject Brad, pipacs and I have discussed a few years ago and
it is a fact that NULL ptr dereferences in kernel are not taken for what
they are: a potential exploitable flaw, not only an 'OOPS'.

I do find Brad's exploit interesting, the attack vector novel, and I do
think it's wrong for kernel developers to fix it the way they did.


-- 
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Brad Spengler (Mar 03)
- Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 03)
  - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns TINNES Julien RD-MAPS-ISS (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns don bailey (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, andsilently fixed Linux vulns Thomas Ptacek (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Michal Zalewski (Mar 05)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 06)
    - (windows is vulnerable too) & final comments on naming Brad Spengler (Mar 07)
    - Re: (windows is vulnerable too) & final comments on naming intropy (Mar 07)
    - Re: (windows is vulnerable too) & final comments on naming Dave Aitel (Mar 07)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Joel Eriksson (Mar 07)
    - Message not available
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Dave Korn (Mar 14)
    - Re: On exploiting null ptr derefs, disabling SELinux, and silently fixed Linux vulns Sebastian Krahmer (Mar 06)