New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue #999 #1001
Fix issue #999 #1001
Conversation
…ter is not a fake one.
…rules from reading values left in the stack.
I would make sure all other opcodes don't suffer from similar issues. |
|
Faking Regardless, I did find the following:
// stdlib.h
#define RAND_MAX 0x7fff |
I'm curious about this. |
Basically pushing a shifted pointer to a real Then it's a matter of doing some calculations to reach the original canary value. I've written a rule (yarasm, compiled) that compares the canary using both methods ( It should exit cleanly if they match (i.e. no assertions). |
@plusvic I can elaborate if necessary. |
Any additional info would be helpful. I haven't enough time to look into this in detail. However I'm wondering, given the design of the VM, if is going to be actually possible to close all the holes. |
Easiest "patch" would be to break compatibility by requiring a command-line switch to allow running compiled rules together with classifying compiled rules as "potentially dangerous". This prevents uninformed users from running possibly malicious rules without their intention and shifts the responsibility.
I'll see what I can conjure up |
Yes, that's probably not vey hurtful to users and at least prevents using
compiled rules inadvertently.
…On Wed, Jan 23, 2019 at 2:37 PM bnbdr ***@***.***> wrote:
Easiest "patch" would be to break compatibility by requiring a
command-line switch to allow running compiled rules together with
classifying compiled rules as "potentially dangerous".
This prevents uninformed users from running possibly malicious rules
without their intention and shifts the responsibility.
additional info would be helpful
I'll see what I can conjure up
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1001 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AALKmUXIf8kF8JQSwBy2X7f3amSzB1OTks5vGGWAgaJpZM4ZRVnG>
.
|
* Add additional check in OP_COUNT for making sure that the string pointer is not a fake one. * Initialize scratch memory in order to avoid maliciously crafted YARA rules from reading values left in the stack.
No description provided.