Re: StackGuard with ... Re: [Paper] Format bugs.

[Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM>]

Alan DeKok wrote:

>   My reading of their pages and papers leads to me to conclude that
> they have an implicit assumption (I don't notice it explicitely
> stated) that the attacker does NOT have read access to the stack.
> The Stack Guard papers seem to assume that "blind" buffer overflows
> are the primary means of attack.

        This is completely true, and as Crispin said, StackGuard was
coined to protect against Stack Buffer Overflows, not any other type
of attacks/bugs. And, as he said a while back, not to protect against
all types of buffer overflows. I think it makes a good job at what it
was designed, but at the same time, it leaves a lot of attacks outside
its scope.

>   As the "Format bugs" paper pointed out, it is possible to READ the
> stack, as well as to write (nearly) arbitrary data to the stack of
> the target machine.  The obvious conclusion is that SOME methods of
> stack "canaries" may be externally discovered, and externally
> bypassed.  I will not go into details here, as they should be readily
> apparent from Pascal's paper.

        You are absolutely right, and more: You don't even need to
be able to read the stack, guess any canary, NOR OVERFLOW the stack,
to exploit format bugs (and some other bugs).
        As discussed in September 1999 here in bugtraq by Crispin and me, and after that published in phrack magazine 
#56 by Bulba &
Kil3r, if you have the ability to write any chosen address in memory,
you just need to place your code somewhere, and then go and overwrite
any function pointer (that'll be called) to point to your code, for
example, a GOT entry, atexits() functions, signal handlers, objects
destructors, or virtual method pointers, callback functions, etc.

        Take a look as those emails, there is an example of a
vulnerable program (not format bug) and an exploit for it.


links

        bugtraq threads:

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D1999-11-08%26thread%3D3829EC71.70C61F30%40cse.ogi.edu

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D1999-11-08%26thread%3D382AD8E0.304928DD%40core-sdi.com

        phrack article:

http://julianor.tripod.com/p56-05-bypassing_stackguard.txt

        In short, you don't need read to read the stack, nor guess the
canary, not even overflow the stack to exploit this kind of bugs.

        At that time (Sep-1999), Crispin was working in a tool called
"PointGuard", that was going to address this problems, I haven't heard
anything about it since.

        richie

PS: In fact, I still don't understand what attacks are protected with
the random canary method, but that's my problem (and a different
thread)

--
A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0
Investigacion y Desarrollo - CoreLabs - Core SDI
http://www.core-sdi.com

--- For a personal reply use gera () core-sdi com