Bugtraq mailing list archives

Re: Stack Shield 0.6 beta relased

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Mon, 1 Nov 1999 23:28:38 +0000


vendicator () USA NET wrote:

A new version of Stack Shield has been relased. It includes
the new protection for "function pointer" attacks and some
minor bug fixes.

http://www.angelfire.com/sk/stackshield


I'm intrigued by the claim to protect against function pointer attacks.
I read the TECHNICAL file included with the download, and can't figure
out what you're doing.  Here's the relevant text from the
TECHNICAL file:

     The secondary protection method handles the function pointer
     overwrite exploit
     class. When a buffer overflow causes the overwrite of a
     function pointer with
     an arbitrary address (usualy of some location in the buffer)
     and the function
     pointer is called, the program will execute the attacker's
     code without being
     detected by the primary method, since the RET address will not
     have been
     modified. Also the execution of the shell code may take place
     before the
     execution of the function epilog.
     The secondary method adds a portion of code in the begining of
     the asm file and
     before each function call with a non-costant parameter. The
     header declares a
     variable in the DATA segment. The part inserted before the
     calls checks if the
     parameter value is not in the DATA or in the STACK segment.
     This is done by
     comparing the parameter with the previously declared variable
     address. If the
     parameter is greater, it is in the DATA or in the STACK
     segment (or outside the
     process memory space). In this case the program is terminated
     via an exit()
     system call, returning a nonzero value.
     This method can cause errors in programs that normaly execute
     asm code in the
     DATA or in the STACK segment. If you experience unexpected
     program terminations
     not caused by attack attemps use the Stack Shield -f flag to
     disable this
     protection method.

Based on this, I can make some guesses as to what your function pointer
defense is, but they'd just be guesses.  What "parameter" is it that
you're checking?

Thanks,
    Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Current thread:

Stack Shield 0.6 beta relased vendicator () USA NET (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)
  - Re: "Function pointer" attacks. Crispin Cowan (Nov 02)
  - Re: "Function pointer" attacks. Mariusz Woloszyn (Nov 03)
- Re: Stack Shield 0.6 beta relased Crispin Cowan (Nov 01)