Re: Stack Execution

[Eric Brandwine <ericb () UU NET>]

> > > > > "ks" == Kurt Seifried <bugtraq () seifried org> writes:

> > If I disable stack execution in Solaris 6 and 8, am I still
> > vulnerable to the SNMP vulnerability.  Cert makes a comment to this
> > but it isn't clear. Either it stops stack smashing or it doesn't.
> > Any information would be appreciated.

ks> It stops some stack smashing, but not all. In Linux for example even with
ks> Solar Designer's OpenWall kernel patch, ImmunixOS addons and the like it's
ks> still possible to smash the stack.

This is a UNIX security problem, not an SNMP specific problem.

The classic buffer overflow/stack smash attack stuffs too much data
into a buffer that's stored in an automatic variable (on the stack).
This overflows the stack frame pointer, the return address, and some
data beyond.  So the trick is to stuff the buffer such that the return
address points to another part of the buffer, that contains your
freshly uploaded shell code.

If you stuff the buffer with random data, you send the program off to
a random location, where it crashes in confusion.  This is what many
of the Oulu packets do.

Setting the stack pages to no-exec in the memory mapping hardware
prevents the processor from jumping parts of the stack, and executing
from there.  However, the heap is still executable, as are other areas
of memory.  Using share libraries, or combining this stack smashing
attack with a heap overflow, the system is still vulnerable.  The
attacker would pre-load the shellcode into some heap variable, and
then smash the stack, and have the processor return to that variable.
This is harder to do, but not impossible.  And since it takes one
smart hacker and a million idiots...

You'll always be able to crash it, regardless of the setting of
no-exec-stack.  There's not much you can do to protect the return
value on the stack (bounds checking, but if you did that, you wouldn't
be vulnerable in the first place).  no-exec-stack will just prevent
the attacker from running shellcode in the stack.

You are still vulnerable to DoS.  You are less vulnerable to remote
root.  Enable no-exec-stack, and patch now.

ericb
-- 
Eric Brandwine     |  Failing organizations are usually over-managed and
UUNetwork Security |  under-led.
ericb () uu net       |
+1 703 886 6038    |      - Warren G. Bennis
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com