Does CMF protect against this?

[Guest]

[patrice58]

http://news.bbc.co.uk/1/hi/technology/7358792.stm

[MrBrian]

I believe not, if you're referring to the general technique involved.

[patrice58]

Well if not why not? it's still a buffer overflow at it's core so why not

[MrBrian]

It seems that this is a new technique for exploiting null pointer references, previously thought to have been extremely difficult to exploit.   Does the general technique always rely on a buffer exploit?  (I don't mean just this specific case with Flash)

[MrBrian]

It seems that this is a new technique for exploiting null pointer references, previously thought to have been extremely difficult to exploit.   Does the general technique always rely on a buffer exploit?  (I don't mean just this specific case with Flash)

To answer my own question, the answer is no.  Please see http://taossa.com/index.php/2007/04/15/bored-games/ for a simple example of this class of exploit.  Also, I started a topic about this at http://www.wilderssecurity.com/showthread.php?p=1227177#post1227177.

[MrBrian]

In the event that the null pointer came about because of a failure of a memory allocation function, perhaps CMF would offer protection.  http://taossa.com/index.php/2007/04/15/bored-games provides a simple example that could be compiled and tested with CMF.

[Tyler Durden]

Hi, this depends on the exploit's code, if it uses the stack/heap for the shellcode the CMF will detect this if it uses just preallocated memory CMF will not detect this. Actually this is not a BO in common meaning, but this can be detected by "on fly" signatures scanning. Exploits are generaly BO-exploits, but not in all cases, I saw many "popular" so called "exploits-suites" and ~20% of their exploits were not bugs (means BO holes) at all, just some insecure ActiveX methods or something like this.

[MrBrian]

Hi, this depends on the exploit's code, if it uses the stack/heap for the shellcode the CMF will detect this if it uses just preallocated memory CMF will not detect this. Actually this is not a BO in common meaning, but this can be detected by "on fly" signatures scanning. Exploits are generaly BO-exploits, but not in all cases, I saw many "popular" so called "exploits-suites" and ~20% of their exploits were not bugs (means BO holes) at all, just some insecure ActiveX methods or something like this.

What about in the specific case of, let's say, a call to calloc() fails (in other words, no memory is allocated but should have been), and then later on this (null) pointer has an offset added to it, and then the resulting memory location is written to?  For example, if the calloc function in the example at http://taossa.com/index.php/2007/04/15/bored-games/ fails, and setSquare is subsequently called, will CMF alert on the setSquare call that dereferences a null pointer+offset?

[Tyler Durden]

No, ofcourse CMF will not say anything till that will be exploited to "jmp" somewhere to execute the shellcode.

[3xist]

Locked.

Reason: Out-Dated post.

Josh

[Tags:]