Bugtraq mailing list archives

Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sat, 13 Nov 1999 15:24:00 +0000


Gerardo Richarte wrote:

You appear to be describing a buffer overflow that attacks a pointer, and
not the activation record.  StackGuard only claims to protect the
activation record, so while this is a legitimate vulnerability that
StackGuard does not prevent, it is not actually a bug in StackGuard.


        Sorry for my bad english, I think that this is the problem why you
misunderstood what I'm trying to say... I'll try to explain it again.


I'll try to explain again:  you are over-writing function pointers.
StackGuard does not defend function pointers.  Yes, this is a legitimate
vulnerability, but it is a vulnerability beyond the scope of the
StackGuard tool.

StackGuard is intended to defend function activation records, and
nothing more.  Emsi's hack found a way to corrupt an activation record
without StackGuard detecting it.  StackGuard 1.21 closes that
vulnerability, and so we are back to our original claim:  you can't use
a buffer overflow to corrupt the return address of a function pointer
without StackGuard detecting it.

        with the first gets(a) it overwrites just p, so it points to 0x4010022c
that is the address in memory of libc's __exit_funcs[0].func.at (look
forward for exit()'s source code), a pointer to a function that will be
called by libc's exit().


Precisely: libc's __exit_funcs[0].func.at is a FUNCTION POINTER, and
therefore  Not a StackGuard Issue.  For instance, the following code is
also vulnerable
under StackGuard:

myfunc(void (*virt_func )) {
        void (*foo)() = virt_func;
        char buf[25];

        gets(buf);      // overflow buff, corrupt foo ptr
        foo(buf);       // wanna call foo, end up calling attack code
)

As I've said before, we are working on a tool called "PointGuard" that
will actually attempt to address this problem.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Current thread:

ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 09)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Crispin Cowan (Nov 10)
- Re: ImmuniX OS Security Alert: StackGuard 1.21 Released Iván Arce (Nov 10)
- Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21 Released Gerardo Richarte (Nov 11)
- Re: Vulnerability in ImmuniX OS Security Alert: StackGuard 1.21Released Crispin Cowan (Nov 13)