[Full-Disclosure] No Subject (re: openssh exploit code?)
Gregory A. Gilliss
ggilliss at netpublishing.com
Tue Oct 21 01:19:27 BST 2003
Maybe I missed something here...
I'm an assembler jockey from BITD and I know a few things about alloc/
calloc/malloc and heaps and stacks etc. So what's the key, may I ask,
to this heap exploit that was the origin of this thread?
Heap, as you know, is memory from which blocks are dynamically
allocated. Ideally (although not always actually) heap memory is
allocated, used, freed, and possibly reused or else the OS gets it
back and can provide it to another process. Now, in many cases that
memory does not get scrubbed from one process to another, which is
why people are urged to bcopy/memcpy() the allocated memory so that
it is transmuted into a known state. Technically no matter what code
you put in the heap space, unless the OS does something executable
with it (and in privileged mode of course) there is nothing that user
space code can do that would elevate privileges. BTW, my understanding
is that the mechanism works the same regardless of big/little endian,
and I've done it on IBM mainframes, VAXen, and Intel chips...
So, can one of you pls point me back at the message where the technical
part of this heap 'sploit is discussed? Thanx.
On or about 2003.10.20 16:18:05 +0000, mitch_hurrison at ziplip.com (mitch_hurrison at ziplip.com) said:
> Hi Paul,
> > So there's the 1% l33ts like you, and then there's the 99% of the
> > human populace that has other things to do besides squirrel
> > around with code. I get it.
> How does my "squirreling around with code" all day bare relevance
> to the points I put forward? If anything you as an admin should
> be happy noone has been foolish enough to release an exploit
> en-masse no? I chose this life and I chose to commit myself
> to the research I do. I work hard at it and I don't think releasing
> exploit code is a justifiable action in this day and age. Then
> you come wobbling out of the woodwork to muster up some obscure
> insult about me being a "code monkey"? Very classy Paul.
Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420
Computer Engineering E-mail: greg at gilliss.com
Computer Security ICQ: 123710561
Software Development WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Full-Disclosure is hosted and sponsored by Secunia.