Comments on: Impressing Girls with Vista Memory Protection Bypasses

by: valiant

Mon, 22 Sep 2008 12:35:00 +0000

Remember

There’s two meanings. I fall into both. The code hacker, who lives to program and does it the hard way, and the system hacker, who loves finding exploitable features in systems to gain access, does so, notifies the sysadmin and patches the hole.

by: leenooks zealot

Wed, 03 Sep 2008 16:55:00 +0000

Oh, crap. I’ve just got root on my Linux box…

by: mark

Wed, 20 Aug 2008 23:39:00 +0000

@Frank: We were in contact with MS before the speech and gave them advanced copies of our material. The specifics of the attacks we describe are published in the paper/slides linked from this blog.

by: Frank Hare

Wed, 20 Aug 2008 13:25:00 +0000

Has anyone form MS been in contact with you? Do you plan to publish specifics about this? If so, when and in what forum?

Thanks, keep up the good work.

by: mark

Sat, 16 Aug 2008 02:56:00 +0000

@Brook: Hey, thanks for your commentary. Alex actually wrote the part about GS, but I’ll have a go at fielding this one I suppose :). I would agree that the example is somewhat contrived (although I have to say, I’ve seen code like this many times before..). He could perhaps of modified it slightly to make it more realistic, but it doesn’t really matter - the point of the example was to demonstrate that integer arguments are not copied below local variables by GS, and hence can be overwritten. This is a pretty important limitation of the GS protections, and one that I have exploited a few times before. Whether the specific example is believable or not is neither here nor there - if you have a situation where you have a stack overflow and integer-based arguments, there might be the chance for exploitation.

by: Brook Monroe

Sat, 16 Aug 2008 01:29:00 +0000

I’m partly along in the paper, and I’ve got to call shenanigans on some of this. In particular, the gs4() function you provide as an example is highly contrived, and uses an internal buffer without any good need of having one. In fact, if one of my team presented me with that sort of brain-dead coding during a code review, I’d send him or her packing, along with a pair of flaming ears. How would your attack have fared against a properly-written gs4(), I’m wondering?

by: squadjot

Wed, 13 Aug 2008 22:58:00 +0000

good to see that SOMEBODY is doing their jobs.. (not microsoft)

by: Dimchansky

Tue, 12 Aug 2008 07:29:00 +0000

Where can I download source code?

by: joey

Mon, 11 Aug 2008 21:59:00 +0000

damn you mark dowd! you killed the interwebs again!

by: jm

Sun, 10 Aug 2008 20:04:00 +0000

@mark Although, I think you do have a moral responsibility to state that they are, in fact, internet hilarious.