閱讀文章 - 看板 FB_security

發信人kpaasial@icloud.com (Kimmo Paasiala),

看板FB_security

標題Re: De Raadt + FBSD + OpenSSH + hole?

發信站NCTU CS FreeBSD Server (Tue Apr 22 02:23:07 2014)

轉信站ptt!csnews.cs.nctu!news.cednctu!FreeBSD.cs.nctu!.POSTED!freebsd.org!ow

--Apple-Mail=_5ACB6A6C-91B4-4C5D-A5BA-DAE79AA198E4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 21.4.2014, at 6.06, Jamie Landeg-Jones <jamie@dyslexicfish.net> = wrote: > "hcoin" <hcoin@quietfountain.com> wrote: >=20 >> local variables) harms performance. It's also true doing both of = these=20 >> things would not fix the flaw that 'opened the window' onto these = data. =20 >> However it is true that doing so would make the exploit valueless as=20= >> 'opening a window' onto erased data would reveal nothing and could = erase=20 >> trojan/virus 'hijack via code-injection then trampoline' = opportunities. >=20 > In the heartbleed case, was the bug returning stale freed memory, = though? > Couldn't it just as easily have been that the over-read was returning = any > other memory that the process has had allocated for other variables - = data > that was still in use? No, the problem was another type of programming error that is endemic in = C programming. It=92s called failure to validate input parameters before = using the input parameters or derived values from the input parameters = as array indices.=20 https://en.wikipedia.org/wiki/Bounds_checking The bug allowed an attacker to request any number of bytes from memory = that followed the buffer that the client was usually allowed to access = (depending on how the index was interpreted it might have been possible = to request memory before the buffer as well). The part of memory that = followed the buffer very probably contained some very sensitive = information, possibly secret keys that were loaded in memory (memory = that was constantly in use and not free()=92d until the process = terminates) in unprotected form (plain text essentially) for fast access = during encryption and decryption. -Kimmo --Apple-Mail=_5ACB6A6C-91B4-4C5D-A5BA-DAE79AA198E4 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJTVTfeAAoJEFvLZC0FWRVpHfMIAKPW0sIvgfGv2BlTdyw5lADB MPWXB/P3E7HGfY5gKCrn7X2XOgdv6omg9WvZqS5WhRdFXM4MEAMYQBstgEP9mJgu N9RXCbhic08vQDWQdmGcGyh9tknPlitilYiRpMZ2yMCAbU6dan0GRP0fxYUeqaWn iK+j2f4gF8KJl0XPPCd3f3pC08LoNGCLV61yClJJ8R/fv5T6GX79oBQrwLslmzjR TB0i1DDLALuhXqAVxQtRDqcZHAJMha3Y1oxW/UQL79UfcKE9JDjvNrN7lhPotuCq UHWg0dhVa05ocFM0tDNNtpQ1R3ik26vCLA4T/Q9nlVERBAVGLCsm0iIWj3R9yms= =Lk0k -----END PGP SIGNATURE----- --Apple-Mail=_5ACB6A6C-91B4-4C5D-A5BA-DAE79AA198E4--