Project Zero Exploits 'Unexploitable' Glibc Bug 98
NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed.
They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.
Re: microsofties here is your chance to party (Score:5, Insightful)
Actually, I find the arrogance of calling an obvious bug "unexploitable" disturbing.
Most ARM is 32 bit...
Re: microsofties here is your chance to party (Score:1, Insightful)
The word you're looking for is 'skeptical', and then they went and fixed it when they were proven wrong. This is actually the opposite of arrogant.
Honestly, when will people learn? (Score:5, Insightful)
Never say never.
Unexploitable? Srsly? GAC.
An acquaintance recently posted "Six Stages of Debugging" on his g+ page. (1. That can't happen, 2. That doesn't happen on my machine, 3. That shouldn't happen, 4. Why does that happen? 5. Oh, I see, and 6. How did that ever work). Doesn't an software dev who has been working for more than about three years go straight to No. 4?
The things they don't teach you in a CS degree.
Re:Honestly, when will people learn? (Score:4, Insightful)
This is seriously shit your CS 100 or 200-level teacher SHOULD have taught you, if you got a CS degree. I think it may depend largely upon where/when you got your degree though. They're only all the same on paper.
Re: microsofties here is your chance to party (Score:2, Insightful)
The first part is arrogance. The second part is pragmatic humility.
Re:Honestly, when will people learn? (Score:4, Insightful)
Re:Honestly, when will people learn? (Score:4, Insightful)
Sure, which is why you have proper logging that allows you to point them in the right direction. At least a few times a year, I have to advise users to get in touch with their IT department to fix their corrupted Arial font file or some other such nonsense since it's causing problems for our app (and probably a number of others as well). Where the fault lies is a tangential discussion, however. What matters here is that Step 2 is actually valuable at times, since it can assist you in answering #4 by narrowing down the possible causes.
Re: microsofties here is your chance to party (Score:4, Insightful)
The word you're looking for is 'skeptical', and then they went and fixed it when they were proven wrong. This is actually the opposite of arrogant.
They should have fixed the bug as soon as they realized it was there, and not waited until someone proved it was an especially bad bug.
Re:microsofties here is your chance to party (Score:5, Insightful)
No.
Off by ones are much easier to fix than to prove safe. The amounts of bugs called "unexploitable" until an exploit was provided is staggering. No mildly security aware person will avoid fixing a buffer overflow because it is unexploitable.
Shachar
Re:Honestly, when will people learn? (Score:2, Insightful)
The things they don't teach you in a CS degree.
Actually they *do* teach you that in a CS degree, and also how to fix it. FTFY. Also, they don't put the word 'an' before a word beginning with a consonant.