[32640] in bugtraq
Re: [ANNOUNCE] glibc heap protection patch
daemon@ATHENA.MIT.EDU (William Robertson)
Tue Dec 2 12:30:47 2003
In-Reply-To: <3FCC9BBE.60604@suspekt.org>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <349B64A4-24EB-11D8-8B1F-000A95675F0E@cs.ucsb.edu>
Content-Transfer-Encoding: 7bit
Cc: sectools@securityfocus.com, bugtraq@securityfocus.com,
focus-ids@securityfocus.com
From: William Robertson <wkr@cs.ucsb.edu>
Date: Tue, 2 Dec 2003 09:16:02 -0800
To: Stefan Esser <stefan@suspekt.org>
Hi Stefan,
On Dec 02, 2003, at 06:03, Stefan Esser wrote:
> Nice advertisement but you should underline the fact, that it only
> protects against glibc malloc()/free() problems. There are a number
> of software packages that implement their own heap wrappers or work
> with linked lists. They still are vulnerable to heap overflows.
> f.e. PHP.
This is correct, and we state as much in our LISA paper. Apologies for
not emphasizing it more in my post yesterday; I'll make sure the
project page makes this clearer.
> And on the other hand there is a much simpler way to protect any
> unlink from a linked list from ever beeing exploited.
This is true in the case of the fd and bk pointers, and in fact this is
one of the checks that dlmalloc's debugging code performs. However, as
we also demonstrated in the paper, you are still open to other
heap-related attacks, such as overwriting size fields and setting up
fake chunk headers. So, unfortunately I don't think that check alone
is sufficient.
> Stefan Esser
--
William Robertson
Reliable Software Group, UC Santa Barbara
http://www.cs.ucsb.edu/~wkr/
