Bugtraq mailing list archives
Re: ImmuniX OS Security Alert: StackGuard 1.21 Released
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Wed, 10 Nov 1999 22:06:42 +0000
Gerardo Richarte wrote:
I think that having this kind of overflow available, StackWard is still vulnerable to a little smarter attack.
I assume you mean "StackGuard". I've never heard of StackWard, and neither has Altavista. If someone needs a catch project name, "stackward" seems to be available :-)
You may think that this code example is too tricky, but there was a buffer overflow in bind's inverse query (http://www.securityfocus.com/vdb/bottom.html?vid=134) like this. This makes me remember of some code I wrote to exploit this for Sparcs, as it was just one call deep, it was imposible to overwrite the return address, so, by using a memcpy() to a pointer I could overwrite (like that one in the example code) I overwrited part of the libc in memory, lets say printf, so when the program called printf() after the second memcpy(), instead of calling the original printf() it called my code: Here you have an exploit that can be used still if you have StackWard.
You appear to be describing a buffer overflow that attacks a pointer, and not the activation record. StackGuard only claims to protect the activation record, so while this is a legitimate vulnerability that StackGuard does not prevent, it is not actually a bug in StackGuard. We are developing a future product called "PointGuard" that will try to apply StackGuard-style integrity checking to code pointers, but it is a long way from ready. If I understand your bind vulnerability correctly, it is the kind of thing that PointGuard would be able to defend against. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 09)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Iván Arce (Nov 10)
- Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 11)
- Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released Crispin Cowan (Nov 13)