NULL Pointer Exploit Excites Researchers

Da Massive writes "Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"

Aha!

[Rik+Sweeney]

So you CAN get something from nothing!

Oblig

NULL to see here, move along to 0x80000001 please...

Re:The crux of the exploit:

[slapys]

Dude. You are wise beyond your years. I hereby dub thee: the sensei of security.

Yes, but if your pointer is NULL

[smittyoneeach]

...you'll need a little Viagra first.

Re:Is this new?

[somersault]

That's what the aliens get for abducting Bill Gates and basing their Mothership's OS on values obtained while probing his anus..

Re:boring?

[somersault]

This is more like a cat up a tree armed with a sniper rifle, picking off any emergency service personnel that get too close while his buddies rob a bank.

Re:fubar

You don't have to come across this exploit for your browser to crash in Vista, normal browsing does that just fine.

If your pointer is NULL

[superbrose]

...you'll need a pointer first.

Re:Always check your return values!

On a modern OS you have to work hard to make malloc fail. OSs will grant memory requests far above the amount of physical memory, and will even overcommit the virtual memory on the theory that you're not going to use all of it anyway.

The only way I've seen to get it to consistently fail is not on low memory but by asking for ludicrous amounts like 4GB at once on a 32bit system. Try it - get your system into a low memory condition and execute a few mallocs.. they don't fail - the OS merely continues to increase virtual memory and swap more and more. You talk about "a modern OS", and then describe how WINDOWS uses its swap file.

"A modern OS" will most likely have fixed-size swap partitions.

Re:The crux of the exploit:

[Waffle+Iron]

Furthermore, if you ban the low level languages, what are you going to write the high level language's byte-code interpreters in? Why, turtles of course. Turtles all the way down.

What's ironic..

[encoderer]

What's ironic is that this exploit DOESN'T crash the browser! That's the whole ever-fuckin point.

A browser crash is what's SUPPOSED to happen here to prevent the exploit from deploying its payload. I mean, in this case, a crash is the DESIRED behavior. An uncaught exception should be thrown.

So... just walk with me here... maybe Windows isn't just unreliable and unstable. MAYBE it's the most secure application stack ever devised. ...oh, hell...nevermind

Re:The crux of the exploit:

[T.E.D.]

remember: you are in control of the machine, not the other way around.

If you are coding in C, you won't be in control of the machine for long. :-)

Re:fubar

[crymeph0]

Actually the researcher specifically crafted his exploit demo so it wouldn't crash the browser. Maybe if I intentionally get infected, Vista won't suck as much!