[12426] in bugtraq
Re: "Function pointer" attacks.
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Wed Nov 3 16:41:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <381F20DD.A406C813@cse.ogi.edu>
Date: Tue, 2 Nov 1999 17:35:25 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: vendicator@USA.NET
To: BUGTRAQ@SECURITYFOCUS.COM
vendicator@USA.NET wrote:
> I don't know is this tecnique is already known but since I
> added a protection for it in Stack Shield I decided to post
> it.
The attack form is well known. There was an exploit against SuperProbe
in 1997 that used this technique.
> The new Stack Shield 0.6 beta has a new protection mechanism
> that checks on non-costant calls if the call is in the TEXT
> segment. This could cause problems for programs that execute
> code from the DATA or STACK segment, howewer this stops this
> kind of attack.
This is the part I wanted details on. The above paragraph is not
sufficient for me to figure out what your defense against function
pointer smashing is. My guess is that you're blocking indirect function
calls that point to the data or stack segment. The stack segment block
has an identical effect to Solar Designer's non-executable stack patch
for the kernel. The data segment block is likely to cause failures for
programs that emit dynamic code. Sure, emitting dynamic code is gross,
but if you *are* going to do it, then function pointers is a natural way
to call your dynamic code.
Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
