Government Security
Network Security Resources

Jump to content

Photo

Are Dangling Pointers That Dangerous?

- - - - - windows buffer overflow server exploit programming shell
  • Please log in to reply
1 reply to this topic

#1 owaspa

owaspa

    Private

  • Members
  • 2 posts

Posted 10 March 2011 - 06:31 AM

Well? I am not sure if I understand it correctly...but the way I see it:


1. Send POST to say http://victim.com/dangling.dll aaaaaa0x0x0xxxx00x0x0x0xpxoxpx9x90 (or whatever....) // this assumes that the dangling pointer is in some apache dll module, obviously in windows.
2. The shellcode of the hacker will start on the address at which the pointer points...but since the pointer is...dangling - then instead of executing the previosly desired program variable - the program will now execute the shellcode and follow the shellcode flow of execution.


A few more comments:
//////////////////////////////////
The programmer writing the program (most likely in C...) will have not only to declare the pointer, but also use it again once the object is deleted - hence the programmer actually makes 2 mistakes:
1. delete the object without setting the pointer to NULL or anything that can prevent the pointer to dangle eventually...
2. Invoke the pointer later and the pointer willl....dangle.
3. Now...assuming that the pointer will "dangle" a hacker can for example do what I described in the beggining of this post??
//////////////////////////////

So, wouldn't DEP and alsr protect against this kind of thing? It seems very much the same as buffer overflows. Interestingly though, while you can find about 200-300 or perhaps even more buffer overflow exploits, there are almost no dangling pointer exploits, in fact you will never find 10 or more proof of concepts of dangling pointers. I blame this on the fact that buffer overflows are manually easily detectable - that is...I just wrote a program which iterates through a directory with files and then for each file looks for a function gets(), strcpy() or about 10 others functions that have no bounds checking. I am not sure how can I write a similar program to scan a source code for a dangling pointer. Plus, visual studio 2008 at least gives no warnings whatsoever when the pointer dangles. Whatever the case is, I still have some doubts about the technique, since it relies on severe programming mistakes - something I wouldn't expect from people working on Apache, Windows server, etc - I guess not a way to hack something big??

10x!

#2 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 10 March 2011 - 12:47 PM

Overflows aren't limited to only certain functions with no bounds checking, here is an example
http://xorl.wordpres...uffer-overflow/
Another example showing a buffer overflow even with the use of strncpy
http://xorl.wordpres...uffer-overflow/

DEP and ASLR just make it difficult to exploit. They are protection mechanisms, but the vulnerability still exists.
Pwn2own is a good example for this.

Dangling Pointers aka Use After Free
Google for : Internet Explorer Use After Free inurl:cve
And you'll see how common they are.

Yes, you'll not find vulnerabilities in server side applications easily. As they have been throughly broken over the years.
You'll have to go back a decade to see how common they were.





Also tagged with one or more of these keywords: windows, buffer overflow, server, exploit, programming, shell