I was just contacted by BlackHat to let me know that my presentation (Dangling the Pointer for Fun and Profit) was accepted to be a part of BH USA 2007 convention. I believe that this presentation will be very interesting and beneficial both for application developers as well as security experts.
Here's a short overview of the presentation (taken from the BH blog submission):
Just another day at the office started with scanning a web application with a vulnerability scanner (AppScan of course). The scan resulted in an unexpected crash in a Microsoft IIS server. This discovery was really exciting – a crash might mean a new IIS vulnerability.
A more thorough research concluded that we were facing a "dangling pointer bug" and that it might be remotely exploitable for arbitrary code execution. After a while, an already published advisory of this bug was found on the net. It stated that this was a DoS vulnerability and that it couldn’t be exploited for remote code execution.
We thought differently.
I started researching, looking for a good exploit implementation and information resources about dangling pointer issues. I felt that such a resource was missing and that there seemed to be a big misconception regarding the importance and impact of dangling pointer bugs.
In the BH USA 2007 presentation, I will discuss dangling pointer bugs, how they are created, their implications and how they can be exploited for remote arbitrary code execution.
I will dive into specific implementation details of C++ compilers and Windows heap structure and present it all on top of the IIS vulnerability example, as well as on another self-crafted demo application.
I will also explain why this bug is commonly misunderstood and will try to answer questions that are currently left unanswered, as there is no informative reading material easily available on the subject.
Comments