xorl %eax, %eax

NULL… Just an address

with one comment

Recently I was reading a thread of people discussing NULL pointer dereference exploitation and said numerous _stupid_ things like “it strictly depends on the CPU architecture“, “it can only be DoS” etc. Well, for sure not all NULL pointer dereferences are exploitable but it’s kind of funny that people don’t get concepts which are publicly available at least since 1994. For example, the first release of the Openwall Linux had protection against mapping of NULL, there are public exploit codes that use this technique at least since 1994. Even basic operating systems design books or can tell you that NULL is just some constant of your choice. On most modern operating systems this address is usually 0 but this is not always the case.
In addition, recently the Linux kernel provided a security patch against malicious mappings on the first pages but this can break emulators so it is optional from the procfs. Its name is MMAP_MIN_ADDR and it can be found under /proc/sys/vm/ in newer kernels.
Anyway, here is a completely stupid code to demonstrate that NULL is nothing more than a valid location on the first page of the system.

#include <stdio.h>
#include <string.h>
#include <sys/mman.h>

 char *ptr, data[25];
 sprintf(data, "Hello world from NULL.");

 ptr = mmap(NULL, sizeof(data), PROT_READ|PROT_WRITE, \
 	   -1, 0);

 if (ptr == (void *)-1)
    printf("fail @ mmap\n");
    return -1;

 memcpy(ptr, data, sizeof(data));

 printf("%s\n", NULL);

 munmap(NULL, sizeof(data));
 return 0;

I know this is retarded but it’s just some stupid code to demonstrate that NULL is nothing special for the operating system. You can treat it as any other address, if a pointer dereference is exploitable then almost certainly the same pointer dereference would be exploitable if it was on NULL.

sh-3.1$ gcc -Wall crap.c -o crap
crap.c: In function ‘main’:
crap.c:24: warning: reading through null pointer (argument 2)
crap.c:24: warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘void *’
sh-3.1$ ./crap
Hello world from NULL.

I just used -Wall to show that printf is actually reading from NULL which is a void * according to GCC. This is defined at linux/stddef.h like this:

#undef NULL
#if defined(__cplusplus)
#define NULL 0
#define NULL ((void *)0)

Please people.. Stop treating NULL usage as something different than any other pointer dereference, dangling pointer, invalid pointer access etc. Apart from protections against mappings such as the Openwall, GRSecurity/PaX, mmap_min_addr etc. NULL has nothing different than any other pointer.

P.S. 1: I know that NULL pointer dereference stands for an offset from NULL but in most cases the same logic applies to those as well.

P.S. 2: Of course there are more elegant ways for doing this than the common mmap(2) call but this was just a demonstration.

Written by xorl

March 11, 2009 at 12:12

Posted in C programming, security

One Response

Subscribe to comments with RSS.

  1. alright sugar tits!! :D


    March 18, 2010 at 07:15

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s