Bugtraq mailing list archives
Re: stackguard 1.21 vulnerability
From: Crispin Cowan <crispin () WIREX COM>
Date: Sat, 19 Aug 2000 00:16:47 -0700
Hiroaki Etoh wrote:
Hiroaki Etoh has discovered a security vulnerability that permits attackers to perpetrate attacks against StackGuarded programs under common circumstances.
This is incorrect, on two counts: 1. Neither Emsi or Etoh ever showed that the code sequence required for this attack method is common (a nit) 2. Etoh's analysis ignores the fact that StackGuard mprotect's the random canary table, so Etoh's attack will fail.
The attacker overflows the buffer a[] and changes a series of values: the value p, the XOR random canary, and the return address with the address of the random value[i] that is used at that function, the address of some malicious code, and the same address of that code respectively. When the *p=0 is executed, the
You cannot set the random canary value to zero, because StackGuard puts the random canary table on a separate page and then mprotect()'s it, precisely to prevent attackers from attempting this attack. You can try to sniff the canary table values, but that requires a vulnerability that gives the attacker the ability to point at arbitrary state, and then copy that state elsewhere. This is becuase the random canary table has been bracketed with "red" pages (un-mapped pages that induce seg faults when accessed). While not perfect protection, this makes it harder to sniff canaries. Crispin -- Crispin Cowan, Chief Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- stackguard 1.21 vulnerability Hiroaki Etoh (Aug 18)
- Re: stackguard 1.21 vulnerability Crispin Cowan (Aug 21)