My favorites | Sign in
Google
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
New issue | Search
for
| Advanced search | Search tips
Issue 50: 2-byte Jump operands Invalid Prefix
4 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  bradchen...@google.com
Closed:  Apr 2009
Security-Contest
Type-Defect


Sign in to add a comment
 
Reported by mark.dowd, Mar 12, 2009 
2-byte jump instructions are not examined for valid prefixes. This allows
the attacker to jump to somewhere in the address space that hasn't been
correctly validated, execute arbitrary code, and defeat the sandbox (by
reloading the CS register or similar). The example PoC just executes an
instruction that should be disallowed by the sandbox (namely, int3).
2byte.zip
17.4 KB Download
Comment 1 by mark.dowd, Mar 12, 2009 
Forgot the team name: "Beached As"
Comment 2 by nativeclient.admin, Mar 12, 2009 
(No comment was entered for this change.)
Status: Accepted
Owner: bradc...@google.com
Labels: Type-Defect
Comment 3 by nativeclient.admin, Apr 10, 2009 
Fix was released in build 57.
Status: Fixed
Sign in to add a comment