[12393] in bugtraq
Re: Stack Shield 0.6 beta relased
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Mon Nov 1 23:34:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <381E2226.379CB639@cse.ogi.edu>
Date: Mon, 1 Nov 1999 23:28:38 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: vendicator@USA.NET
To: BUGTRAQ@SECURITYFOCUS.COM
vendicator@USA.NET wrote:
> A new version of Stack Shield has been relased. It includes
> the new protection for "function pointer" attacks and some
> minor bug fixes.
>
> http://www.angelfire.com/sk/stackshield
I'm intrigued by the claim to protect against function pointer attacks.
I read the TECHNICAL file included with the download, and can't figure
out what you're doing. Here's the relevant text from the
TECHNICAL file:
The secondary protection method handles the function pointer
overwrite exploit
class. When a buffer overflow causes the overwrite of a
function pointer with
an arbitrary address (usualy of some location in the buffer)
and the function
pointer is called, the program will execute the attacker's
code without being
detected by the primary method, since the RET address will not
have been
modified. Also the execution of the shell code may take place
before the
execution of the function epilog.
The secondary method adds a portion of code in the begining of
the asm file and
before each function call with a non-costant parameter. The
header declares a
variable in the DATA segment. The part inserted before the
calls checks if the
parameter value is not in the DATA or in the STACK segment.
This is done by
comparing the parameter with the previously declared variable
address. If the
parameter is greater, it is in the DATA or in the STACK
segment (or outside the
process memory space). In this case the program is terminated
via an exit()
system call, returning a nonzero value.
This method can cause errors in programs that normaly execute
asm code in the
DATA or in the STACK segment. If you experience unexpected
program terminations
not caused by attack attemps use the Stack Shield -f flag to
disable this
protection method.
Based on this, I can make some guesses as to what your function pointer
defense is, but they'd just be guesses. What "parameter" is it that
you're checking?
Thanks,
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
