|
Authored by: Anonymous on Saturday, January 26 2013 @ 12:34 AM EST |
That's only true if malloc allocates memory sequentially.
This is true for mallocs based on rbrk/sbrk. There are
other ways to implement malloc. Some of the other ways will
randomize where the blocks come from. So even though memory
is full, it doesn't mean you know where the last few blocks
came from.
If you have access to the pointers returned by malloc, then
yes, you can always make this attack work. But the point of
this exploit is that you are able to make it work from
javascript without access to the actual values returned by
malloc.
If you have access to the pointers and can call free, I
suspect you can call exec or anything else you want.
Although I suppose sandbox developers should take note.
malloc/free is not necessarily safe if you can load
unsandboxed dll's.
[ Reply to This | Parent | # ]
|
|
|
|
|