Bugtraq mailing list archives
Re: Stack Shield 0.6 beta relased
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Mon, 1 Nov 1999 23:28:38 +0000
vendicator () USA NET wrote:
A new version of Stack Shield has been relased. It includes the new protection for "function pointer" attacks and some minor bug fixes. http://www.angelfire.com/sk/stackshield
I'm intrigued by the claim to protect against function pointer attacks. I read the TECHNICAL file included with the download, and can't figure out what you're doing. Here's the relevant text from the TECHNICAL file: The secondary protection method handles the function pointer overwrite exploit class. When a buffer overflow causes the overwrite of a function pointer with an arbitrary address (usualy of some location in the buffer) and the function pointer is called, the program will execute the attacker's code without being detected by the primary method, since the RET address will not have been modified. Also the execution of the shell code may take place before the execution of the function epilog. The secondary method adds a portion of code in the begining of the asm file and before each function call with a non-costant parameter. The header declares a variable in the DATA segment. The part inserted before the calls checks if the parameter value is not in the DATA or in the STACK segment. This is done by comparing the parameter with the previously declared variable address. If the parameter is greater, it is in the DATA or in the STACK segment (or outside the process memory space). In this case the program is terminated via an exit() system call, returning a nonzero value. This method can cause errors in programs that normaly execute asm code in the DATA or in the STACK segment. If you experience unexpected program terminations not caused by attack attemps use the Stack Shield -f flag to disable this protection method. Based on this, I can make some guesses as to what your function pointer defense is, but they'd just be guesses. What "parameter" is it that you're checking? Thanks, Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Stack Shield 0.6 beta relased vendicator () USA NET (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)
- Re: "Function pointer" attacks. Crispin Cowan (Nov 02)
- Re: "Function pointer" attacks. Mariusz Woloszyn (Nov 03)
- Re: Stack Shield 0.6 beta relased Crispin Cowan (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)