BugTraq
[ANNOUNCE] glibc heap protection patch Dec 01 2003 07:31PM
William Robertson (wkr cs ucsb edu) (2 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 02 2003 02:03PM
Stefan Esser (stefan suspekt org) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 02 2003 05:16PM
William Robertson (wkr cs ucsb edu) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 03 2003 01:01PM
Stefan Esser (se nopiracy de) (1 replies)
William Robertson wrote:

> This is true in the case of the fd and bk pointers, and in fact this
> is one of the checks that dlmalloc's debugging code performs.
> However, as we also demonstrated in the paper, you are still open to
> other heap-related attacks, such as overwriting size fields and
> setting up fake chunk headers. So, unfortunately I don't think that
> check alone is sufficient.

The last time I checked there was no such check in the unlink macro (no
matter if debug mode or not). Overwriting size fields and setting up
fake chunk headers are the standard way to exploit malloc()/free()
structures. And you should rethink about my unlink macro. It perfectly
stops ALL
heap attacks that try to make use of the unlink macro (and this are the
most out there). I know that modifying unlink does not protect against
frontlink attacks. But most heap exploiters do not even know that there
is anything else than unlink. I never said that the unlink macro is the
ultimate solution to all heap problems, but it is certainly securer to
check the pointers on unlink than protecting it only with magic numbers.
The best solution would be a combination of both.

Ohh btw... Feel free to demonstrate me an unlink exploit that works
while my unlink macro
is in place... In the last two years I nearly only concentrated on heap
exploits on a various
number of platforms. glibc/bsd/solaris/windows and I even exploited the
heap on XBOX
with my dashboard-font exploit. So I very much doubt that my statement
was incorrect.

Stefan Esser

[ reply ]
Re: [ANNOUNCE] glibc heap protection patch Dec 03 2003 10:25PM
William Robertson (wkr cs ucsb edu)
Re: [ANNOUNCE] glibc heap protection patch Dec 02 2003 11:27AM
Eugene Tsyrklevich (eugene securityarchitects com) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 02 2003 07:33PM
William Robertson (wkr cs ucsb edu) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 03 2003 07:54AM
Han Boetes (han mijncomputer nl) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 04 2003 05:42PM
Adam Shostack (adam homeport org) (1 replies)
Re: [ANNOUNCE] glibc heap protection patch Dec 04 2003 10:25PM
Jim Knoble (jmknoble pobox com)


 

Privacy Statement
Copyright 2010, SecurityFocus