|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2014-08-26 13:15:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
The poisoned NUL byte, 2014 edition (Project Zero)
For those interested in the gory details of a complex exploit, Google's
Project Zero page describes
the process of getting arbitrary code execution from a single NUL byte
written to the heap by glibc in an off-by-one error. "The main point of
going to all this effort is to steer industry narrative away from quibbling
about whether a given bug might be exploitable or not. In this specific
instance, we took a very subtle memory corruption with poor levels of
attacker control over the overflow, poor levels of attacker control over
the heap state, poor levels of attacker control over important heap content
and poor levels of attacker control over program flow. Yet still we were
able to produce a decently reliable exploit! And there’s a long history of
this over the evolution of exploitation: proclamations of
non-exploitability that end up being neither advisable nor correct."
For those interested in the gory details of a complex exploit, Google's
Project Zero page describes
the process of getting arbitrary code execution from a single NUL byte
written to the heap by glibc in an off-by-one error. "The main point of
going to all this effort is to steer industry narrative away from quibbling
about whether a given bug might be exploitable or not. In this specific
instance, we took a very subtle memory corruption with poor levels of
attacker control over the overflow, poor levels of attacker control over
the heap state, poor levels of attacker control over important heap content
and poor levels of attacker control over program flow. Yet still we were
able to produce a decently reliable exploit! And there’s a long history of
this over the evolution of exploitation: proclamations of
non-exploitability that end up being neither advisable nor correct."
