Slashdot Mirror

← Back to Stories (view on slashdot.org)

NULL Pointer Exploit Excites Researchers

Posted by Soulskill on from the ruh-roh-shaggy dept.

Da Massive writes "Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"

8 of 327 comments (clear)

  1. Binary blobs by should_be_linear · · Score: 4, Insightful

    Some years ago I had many binary proprietary blobs on my computer: SUN Java browser plugin (now OSS), Adobe Acrobat (don't need it any more, OSS alternatives are equal now), nVidia driver (still needed but solution is on the way -> looking forward to switch to ATI as soon as GPL drivers get there), MS media codecs (don't need it any more, Flash ate MS' streaming video pie). Now, only Flash player remains that I don't see replacement in OSS world in foreseeable future. Add to it security concerns, 64-bit version and it clearly becomes major PITA of Linux desktop users. Doesn't look it will change any time soon.

    --
    839*929
  2. Re:boring? by ubernostrum · · Score: 5, Insightful

    Wow, an error in a program. This seems akin to ground-breaking front-page news: a cat stuck in a tree rescued by firemen.

    Actually, it is a big deal, as you'd know if you'd read the article(s). But you're too lazy for that, so here's the short summary:

    Lots of interesting (and important) security problems revolve around figuring out a way to take an error in a program, and turn it into a way to have that program execute arbitrary code of your choice. Traditionally, NULL pointer exceptions have not been fruitful ground for this because, well, a NULL pointer is NULL -- there's nothing on the other end of the pointer for the unsuspecting program to read or execute, so it simply crashes. And merely crashing the program isn't really all that interesting, since at best it lets you execute a denial-of-service. But this guy (Dowd) found what would have been a run-of-the-mill NULL pointer exception in Flash and parlayed it into full-scale arbitrary code execution through a series of fairly impressive tricks. You really should go read Ptacek's summary, because it has all the gory details and will, if nothing else, make you realize what an amazing hack this is.

  3. Re:Why the java icon? by ChunderDownunder · · Score: 5, Insightful

    Probably because they see JavaScript, bytecode and virtual machine all in the same sentence. Put two and two together and you end up with five.

  4. Re:Always check your return values! by Tony+Hoyle · · Score: 4, Insightful

    On a modern OS you have to work hard to make malloc fail. OSs will grant memory requests far above the amount of physical memory, and will even overcommit the virtual memory on the theory that you're not going to use all of it anyway.

    The only way I've seen to get it to consistently fail is not on low memory but by asking for ludicrous amounts like 4GB at once on a 32bit system. Try it - get your system into a low memory condition and execute a few mallocs.. they don't fail - the OS merely continues to increase virtual memory and swap more and more.

  5. Re:The crux of the exploit: by pla · · Score: 4, Insightful

    Assuming that Flash is made in C or C++, here is another very vivid example of why these languages should be banned.

    You do understand that all those nasty loosely-typed pointer-based exploits you and others disdain in C, exist because C nicely mirrors how the actual hardware handles similar concepts?


    If failure of allocation threw an exception, instead of just returning null, there would be no problem.

    And if programmers would check that the allocation succeeded, we would also have no problem.

    In your hypothetical "safe" language (C#, for example), I can't count how many times I've seen system calls wrapped in a try/catch to hide the exception, then carry on pretending the call worked just fine. Guess what? SAME DAMNED PROBLEM!



    Don't blame the pipe-wrench for making a poor hammer. Blame the craftsman too lazy to find a hammer.

  6. Re:Big deal by Anonymous Coward · · Score: 5, Insightful

    Because it can probably be made to work cross-version, cross-platform and cross-architecture?

    Because everyone has Flash installed?

    Because it opens up a whole class of common bugs previously thought to be unexploitable?

    Because the way he does it is nothing short of godlike?

    This is HUGE.

  7. Re:The crux of the exploit: by hey! · · Score: 4, Insightful

    The kitchen? No. The Nursery? Might be a good idea.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  8. Re:Big deal by n0-0p · · Score: 4, Insightful

    It's news because it's a general method for code execution from a common class of NULL pointer dereferences. He turned something that most people consider a crash bug into a code execution bug. Here's a simpler example from Dowd's blog: http://taossa.com/index.php/2007/04/15/bored-games/

    The other reason why it's news is that his method for exploiting Flash in this case is technically brilliant. I can understand if you don't appreciate it, but any security people out there are just overwhelmed.