Re: Dangling pointers exploitation

["Chris Rohlf" <chris.rohlf () gmail com>]

On 7/25/07, Thomas Ptacek <tqbf () matasano com> wrote:
> Unitialized automatic variables and use-after-free variables seem
> of-a-kind: you have a pointer who's value seems unpredictable but is
> in fact strongly influenced by the execution environment which is in
> turn often influenced by inputs and timing.

The articles about this research and the upcoming presentation are
pretty vague. Where were the now dangling pointers pointing to? The
heap? Were they function pointers? This leaves a lot of open questions
for me. Like Thomas, the first thought I had was - well if your
dangling pointer points back into the heap, its entirely possible
(given a program like a web server) to create specially crafted inputs
that eventually will be placed where you need them - you can control
these types of things. The only obstacle being the fact you have to
guess where that dangling pointer points to. Unless of course you can
control it the first time around.

I think the biggest problem in exploiting/finding these kinds of
issues is knowing whether you have a dangling pointer or not. If the
program never crashes, and you don't have the source, you may never
know there was an issue. I look forward to reading this presentation
after everyone else because I could not black hat this year :<

chris

-- 

http://em386.blogspot.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave