[16317] in bugtraq
Re: stackguard 1.21 vulnerability
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Mon Aug 21 15:24:02 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <399E345F.27F7EC48@wirex.com>
Date: Sat, 19 Aug 2000 00:16:47 -0700
Reply-To: crispin@WIREX.COM
From: Crispin Cowan <crispin@WIREX.COM>
X-To: Hiroaki Etoh <ETOH@JP.IBM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hiroaki Etoh wrote:
> Hiroaki Etoh has discovered a security vulnerability that permits attackers to
> perpetrate attacks against StackGuarded programs under common circumstances.
This is incorrect, on two counts:
1. Neither Emsi or Etoh ever showed that the code sequence required for this
attack method is common (a nit)
2. Etoh's analysis ignores the fact that StackGuard mprotect's the random canary
table, so Etoh's attack will fail.
> The attacker overflows the buffer a[] and changes a series of values: the value
> p, the XOR random canary, and the return address with the address of the random
> value[i] that is used at that function, the address of some malicious code, and
> the same address of that code respectively. When the *p=0 is executed, the
You cannot set the random canary value to zero, because StackGuard puts the random
canary table on a separate page and then mprotect()'s it, precisely to prevent
attackers from attempting this attack.
You can try to sniff the canary table values, but that requires a vulnerability
that gives the attacker the ability to point at arbitrary state, and then copy that
state elsewhere. This is becuase the random canary table has been bracketed with
"red" pages (un-mapped pages that induce seg faults when accessed). While not
perfect protection, this makes it harder to sniff canaries.
Crispin
--
Crispin Cowan, Chief Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
