Does CMF protect against this?

patrice58 · April 21, 2008, 8:56pm

MrBrian · April 22, 2008, 1:28am

I believe not, if you’re referring to the general technique involved.

patrice58 · April 22, 2008, 1:30am

Well if not why not? it’s still a buffer overflow at it’s core so why not

MrBrian · April 22, 2008, 1:41am

It seems that this is a new technique for exploiting null pointer references, previously thought to have been extremely difficult to exploit. Does the general technique always rely on a buffer exploit? (I don’t mean just this specific case with Flash)

MrBrian · April 22, 2008, 3:02am

To answer my own question, the answer is no. Please see Justin Schuh (@jschuh@infosec.exchange) - Infosec Exchange for a simple example of this class of exploit. Also, I started a topic about this at Null pointer exploit excites researchers | Wilders Security Forums.

MrBrian · April 22, 2008, 5:49am

In the event that the null pointer came about because of a failure of a memory allocation function, perhaps CMF would offer protection. Justin Schuh (@jschuh@infosec.exchange) - Infosec Exchange provides a simple example that could be compiled and tested with CMF.

Tyler_Durden · April 22, 2008, 9:28am

Hi, this depends on the exploit’s code, if it uses the stack/heap for the shellcode the CMF will detect this if it uses just preallocated memory CMF will not detect this. Actually this is not a BO in common meaning, but this can be detected by “on fly” signatures scanning. Exploits are generaly BO-exploits, but not in all cases, I saw many “popular” so called “exploits-suites” and ~20% of their exploits were not bugs (means BO holes) at all, just some insecure ActiveX methods or something like this.

MrBrian · April 22, 2008, 9:33pm

What about in the specific case of, let’s say, a call to calloc() fails (in other words, no memory is allocated but should have been), and then later on this (null) pointer has an offset added to it, and then the resulting memory location is written to? For example, if the calloc function in the example at Justin Schuh (@jschuh@infosec.exchange) - Infosec Exchange fails, and setSquare is subsequently called, will CMF alert on the setSquare call that dereferences a null pointer+offset?

Tyler_Durden · April 23, 2008, 6:41am

No, ofcourse CMF will not say anything till that will be exploited to “jmp” somewhere to execute the shellcode.

system · May 31, 2008, 9:29am

Locked.

Reason: Out-Dated post.

Josh