tag:blogger.com,1999:blog-3024470480937744884.post4422928276551272144..comments2024-03-18T04:40:58.042-07:00Comments on Security: Exploiting 64-bit Linux like a bossChris Evanshttp://www.blogger.com/profile/01004765479735675808noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-3024470480937744884.post-14439059501436715232013-11-04T23:38:42.570-08:002013-11-04T23:38:42.570-08:00nowadays use-after-free is most weak point. more g...nowadays use-after-free is most weak point. more good protection is needed.<br />when you freed memory, owner's pointers should always be NULL.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-26005168554849180662013-02-07T06:04:51.248-08:002013-02-07T06:04:51.248-08:00Excellent piece of work!!
Excellent piece of work!!<br />Nico Waismanhttps://www.blogger.com/profile/17467268863787048478noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-58315749792487247922013-02-04T05:30:04.655-08:002013-02-04T05:30:04.655-08:00Any chance you could post the magic that makes up ...Any chance you could post the magic that makes up the gc() function for us peons?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-56167939151368565952013-02-04T05:24:18.242-08:002013-02-04T05:24:18.242-08:00@huzaifas: what is it about "selinux confined...@huzaifas: what is it about "selinux confined" that makes exploitation hard? This post covers initial exploitation to get code execution inside a sandbox. "selinux confined" is just another hurdle to jump over ;-)Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-38109840802181405972013-02-04T00:50:23.778-08:002013-02-04T00:50:23.778-08:00@Chris: Don't forget all the other old securit...@Chris: Don't forget all the other old security bugs that are still closed.Yuhong Baohttps://www.blogger.com/profile/14519473280837410246noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-60670521044196715812013-02-03T23:10:07.527-08:002013-02-03T23:10:07.527-08:00on Fedora-18, it seems that the chrome-sandbox run...on Fedora-18, it seems that the chrome-sandbox runs as selinux confined.<br />This should make the exploit exceptionally difficult if not impossible.huzaifashttps://www.blogger.com/profile/07094227498791738894noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-42278280770472621082013-02-03T19:53:25.169-08:002013-02-03T19:53:25.169-08:00@Alfredo Ortega: oh my bad :) Yeah, to stop this y...@Alfredo Ortega: oh my bad :) Yeah, to stop this you'd need to be looking at compiler-based defenses or some less deterministic heap or.... rewrite in Java ;-)Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-45098366645899293042013-02-03T19:41:10.731-08:002013-02-03T19:41:10.731-08:00@Chris oh I got the point, please allow me to be a...@Chris oh I got the point, please allow me to be a little pedantic for the sake of the discussion :) Indeed, I think this not only breaks Linux-64 but any ASLR implementation, it should work in even harder platforms like OpenBSD (Not sure about this, newer heap protections in OBSD may stop this particular exploit)Alfredo Ortega - GWhttps://www.blogger.com/profile/06199892974453980269noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-34369859998731703442013-02-03T19:13:37.186-08:002013-02-03T19:13:37.186-08:00@Alfredo Ortega -- I think you've missed the p...@Alfredo Ortega -- I think you've missed the point of this post. The significance of 64-bit Linux is that it's IMHO a tough target for browser exploitation, and therefore to celebrate Pinkie Pie's skill.Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-45327762444518473282013-02-03T19:07:00.232-08:002013-02-03T19:07:00.232-08:00While the exploit is brilliant I find the title of...While the exploit is brilliant I find the title of this post slightly disingenuous. The fact it works in 64-bit Linux is only incidental as it mainly uses several Webkit-only features, like the infoleak.Alfredo Ortega - GWhttps://www.blogger.com/profile/06199892974453980269noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-33285701706593484812013-02-03T17:12:38.800-08:002013-02-03T17:12:38.800-08:00@Anonymous: I just re-read the bug and it's pr...@Anonymous: I just re-read the bug and it's pretty boring relative to this blog post to be honest. You're not missing anything but I'll open it soon.Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-42002912425949390452013-02-03T15:41:36.988-08:002013-02-03T15:41:36.988-08:00https://code.google.com/p/chromium/issues/detail?i...https://code.google.com/p/chromium/issues/detail?id=162835<br /><br />The bug details are still hidden, will you open the bug report to the public soon, or?Anonymousnoreply@blogger.com