[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stackguard 1.21 vulnerability

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: stackguard 1.21 vulnerability
From: Crispin Cowan <crispin@WIREX.COM>
Date: Sat, 19 Aug 2000 00:16:47 -0700

Hiroaki Etoh wrote:

> Hiroaki Etoh has discovered a security vulnerability that permits attackers 
>to
> perpetrate attacks against StackGuarded programs under common circumstances.

This is incorrect, on two counts:

  1. Neither Emsi or Etoh ever showed that the code sequence required for this
     attack method is common (a nit)
  2. Etoh's analysis ignores the fact that StackGuard mprotect's the random 
canary
     table, so Etoh's attack will fail.

> The attacker overflows the buffer a[] and changes a series of values: the 
>value
> p, the XOR random canary, and the return address with the address of the 
>random
> value[i] that is used at that function, the address of some malicious code, 
>and
> the same address of that code respectively.   When the *p=0 is executed, the

You cannot set the random canary value to zero, because StackGuard puts the 
random
canary table on a separate page and then mprotect()'s it, precisely to prevent
attackers from attempting this attack.

You can try to sniff the canary table values, but that requires a 
vulnerability
that gives the attacker the ability to point at arbitrary state, and then 
copy that
state elsewhere.  This is becuase the random canary table has been bracketed 
with
"red" pages (un-mapped pages that induce seg faults when accessed).  While not
perfect protection, this makes it harder to sniff canaries.

Crispin

--
Crispin Cowan, Chief Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                          http://immunix.org

Prev by Date: Becky! Internet Mail Buffer overflow
Next by Date: Re: CERT Advisory CA-2000-17
Prev by thread: stackguard 1.21 vulnerability
Next by thread: Translate:f [another PERL exploit]
Index(es):
- Date
- Thread