Sunday, May 6, 2007

Exploitable NULL Pointer Vulnerabilities on ARM and XScale Architectures

Via Barnaby Jack of Juniper -

NULL pointer dereference flaws typically account for the majority of published denial-of -service attacks, both locally and remotely. A NULL pointer dereference occurs when a pointer with the value of 0 is assumed to be a valid memory location, and that pointer is then accessed. A NULL pointer dereference is rarely more than an annoyance, with the worst case scenario typically resulting in a software crash. A write from, or read to, the memory address 0x0 will generally reference invalid or unused memory.

In the case of the ARM and XScale architectures, the 0x0 address is not only mapped in memory, but also serves an important purpose; the Exception Vector Table is located at memory offset 0. Because many Real-time Operating Systems on ARM based devices run in Supervisor (SVC) mode, memory access is unrestricted.

Vector Rewrite Attacks (PDF)

No comments:

Post a Comment