Bugtraq mailing list archives
Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sat, 13 Nov 1999 15:24:00 +0000
Gerardo Richarte wrote:
You appear to be describing a buffer overflow that attacks a pointer, and not the activation record. StackGuard only claims to protect the activation record, so while this is a legitimate vulnerability that StackGuard does not prevent, it is not actually a bug in StackGuard.Sorry for my bad english, I think that this is the problem why you misunderstood what I'm trying to say... I'll try to explain it again.
I'll try to explain again: you are over-writing function pointers. StackGuard does not defend function pointers. Yes, this is a legitimate vulnerability, but it is a vulnerability beyond the scope of the StackGuard tool. StackGuard is intended to defend function activation records, and nothing more. Emsi's hack found a way to corrupt an activation record without StackGuard detecting it. StackGuard 1.21 closes that vulnerability, and so we are back to our original claim: you can't use a buffer overflow to corrupt the return address of a function pointer without StackGuard detecting it.
with the first gets(a) it overwrites just p, so it points to 0x4010022c that is the address in memory of libc's __exit_funcs[0].func.at (look forward for exit()'s source code), a pointer to a function that will be called by libc's exit().
Precisely: libc's __exit_funcs[0].func.at is a FUNCTION POINTER, and therefore Not a StackGuard Issue. For instance, the following code is also vulnerable under StackGuard: myfunc(void (*virt_func )) { void (*foo)() = virt_func; char buf[25]; gets(buf); // overflow buff, corrupt foo ptr foo(buf); // wanna call foo, end up calling attack code ) As I've said before, we are working on a tool called "PointGuard" that will actually attempt to address this problem. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 09)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Iván Arce (Nov 10)
- Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 11)
- Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released Crispin Cowan (Nov 13)