Re: stackguard 1.21 vulnerability

[Crispin Cowan <crispin () WIREX COM>]

Hiroaki Etoh wrote:

> Hiroaki Etoh has discovered a security vulnerability that permits attackers to
> perpetrate attacks against StackGuarded programs under common circumstances.

This is incorrect, on two counts:

  1. Neither Emsi or Etoh ever showed that the code sequence required for this
     attack method is common (a nit)
  2. Etoh's analysis ignores the fact that StackGuard mprotect's the random canary
     table, so Etoh's attack will fail.

> The attacker overflows the buffer a[] and changes a series of values: the value
> p, the XOR random canary, and the return address with the address of the random
> value[i] that is used at that function, the address of some malicious code, and
> the same address of that code respectively.   When the *p=0 is executed, the

You cannot set the random canary value to zero, because StackGuard puts the random
canary table on a separate page and then mprotect()'s it, precisely to prevent
attackers from attempting this attack.

You can try to sniff the canary table values, but that requires a vulnerability
that gives the attacker the ability to point at arbitrary state, and then copy that
state elsewhere.  This is becuase the random canary table has been bracketed with
"red" pages (un-mapped pages that induce seg faults when accessed).  While not
perfect protection, this makes it harder to sniff canaries.

Crispin

--
Crispin Cowan, Chief Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                          http://immunix.org