[Dailydave] Realistically looking at "all the things"
Dave Aitel
dave at immunityinc.com
Wed Nov 20 16:35:19 EST 2013
http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf
https://www.exodusintel.com/files/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf
So I wanted to compare and contrast the EMET paper with the Portnoy
"Bypassing all the Things" paper. Because nothing makes me madder than
the Portnoy paper. Go read it and then come back.
Ok, done? Did that not make you want to gnash your teeth a bit? My
dentist last week was like "Looks like you grind your teeth" and I was
like "BECAUSE OF THE BYPASSING ALL THE THINGS PAPER!"
Here's why: If you have a perfect bug, then yes, ANYTHING is bypassable.
For some reason Shockwave included the perfect bug. Which is AWESOME and
I wish I'd found that bug, but once you have full memory real and write
control (and are in a scripting language to boot), then yes, you will be
bypassing DEP/ASLR, etc. Not even GRSec, the gold standard of pains in
the ass, would claim to protect against full memory read and write access.
Here's the thing: Browser client-sides have made people think things are
easier than they are. And even browser bugs aren't usually as easy as
THIS bug. Sheesh.
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131120/61d5fc87/attachment.sig>
More information about the Dailydave
mailing list