An attacker being able to overwrite a function pointer or return address doesn't mean they can run any code in the process. They need to choose code that the CFI implementation permits calling from there and they need to be able to point it at the dynamic address of that code.
If eval() isn't there, it increases effort for the attacker, yes. With eval(), it doesn't make any difference at all.
-
-
An attacker needs to find the address of eval and a function pointer / return address to overwrite with it along with setting it up to properly pass a pointer to their code. It's not that much different from them being able to call system(...) in libc to run /bin/sh code.
-
If there's writable machine code, interpreted code or bytecode in memory for them to simply overwrite without needing control flow hijacking, that's way easier. If they have arbitrary read/write, they've won, but these mitigations aim to make it take longer to put it together.
-
There's both bytecode and a JIT. So yeah, plenty of surface.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.