Loading...
  OR  Zero-K Name:    Password:   

Post edit history

Ghost - what does it mean for ZK?

To display differences between versions, select one or more edits in the list using checkboxes and click "diff selected"
Post edit history
Date Editor Before After
1/27/2015 9:43:40 PMUSrankkaen before revert after revert
1/27/2015 9:43:08 PMUSrankkaen before revert after revert
1/27/2015 9:15:16 PMUSrankkaen before revert after revert
1/27/2015 9:14:50 PMUSrankkaen before revert after revert
1/27/2015 9:11:11 PMUSrankkaen before revert after revert
1/27/2015 9:03:39 PMUSrankkaen before revert after revert
1/27/2015 9:00:42 PMUSrankkaen before revert after revert
Before After
1 [quote] 1 [quote]
2 Read a bit more. Those few bytes can be enough for full-fledged attacks. 2 Read a bit more. Those few bytes can be enough for full-fledged attacks.
3 [/quote] 3 [/quote]
4 \n 4 \n
5 The only "full-fledged" attack they detailed with ACE was the exim vuln, in which they noted: 5 The only "full-fledged" attack they detailed with ACE was the exim vuln, in which they noted:
6 \n 6 \n
7 [quote] 7 [quote]
8 The success of this exploit depends on an important piece of 8 The success of this exploit depends on an important piece of
9 information: the address of Exim's run-time configuration in the heap. 9 information: the address of Exim's run-time configuration in the heap.
10 [/quote] 10 [/quote]
11 \n 11 \n
12 Which, with ASLR, is extremely difficult to know ahead of time. In this case, they were able to exploit another exim-specific flaw to get the address they needed (outlined in 5.2). This entire scheme depends on the gethostbyname buffer being directly adjacent to a malloc chunk, and also that heap protection was not enabled. 12 Which, with ASLR, is extremely difficult to know ahead of time. In this case, they were able to exploit another exim-specific flaw to get the address they needed (outlined in 5.2). This entire scheme depends on the gethostbyname buffer being directly adjacent to a malloc chunk, and also that heap protection was not enabled.
13 \n 13 \n
14 Finally, further down the thread is a list of programs that are accidentally unexploitable despite calling the affected functions: http://www.openwall.com/lists/oss-security/2015/01/27/18 14 Finally, further down the thread is a list of programs that are accidentally unexploitable despite calling the affected functions: http://www.openwall.com/lists/oss-security/2015/01/27/18
15 \n 15 \n
16 Which speaks to the "perfect storm" you'd need to have to exploit this in the wild against an uncompromised machine. 16 Which speaks to the "perfect storm" required to exploit this in the wild against an uncompromised machine.