Firewall Wizards mailing list archives
Re: securing bind
From: Gerardo Richarte <core.lists.firewall-wizards () core-sdi com>
Date: 23 Nov 1999 14:22:57 -0300
I tried to not quote all your message, but I have something to say about almost everything... Ken Hardy wrote:
IMHO something like StackGuard should be a standard option on *all* compilers, and all exposed services like DNS should be compiled with it enabled. Make that every bit of code (incl. kernel?) running on a firewall. It's not a cure-all for bad coding, but it does disable the hackers' favorite attack automatically w/o any application code review and patching. Well, not completely disable, but it will turn a root compromise into a DOS (program abends on stack overrun).
You are more right than what you think... The example you are using here is not a very happy example (BIND). StackGuard may be a good solution for a lot of buffer overflows, but IT'S NOT the final solution. StackGuard doesn't take care of the known IQUERY buffer overflow in BIND (http://www.securityfocus.com/vdb/bottom.html?vid=134). This is a double buffer overflow, (a buffer overflow overwriting a pointer to a buffer where information is copied later). Current StackGuard (v1.21) says it fixes this problem, but as I stated in a message in bugtraq, this is not true. While it makes it impossible to exploit it changing the return addresses in the stack, it's still possible to exploit it using a different approach. I know, as Crispin Cowan said, that there will be a new product from StackGuard's people that takes care of function pointers, while I don't know how they will do it, I KNOW that this will NOT fix the problem I recalled previously (BIND's).
See http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard. I'd be interested in knowlegeable comments about how reliable and comprehensive this approach to the stack overrun problem is, though it's probably beyond the charter of this list.
Take a look at http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-8&msg=199911092144.NAA24201 () church cse ogi edu for a description of the problem, as presented by StackGuard's people. And take a look at the thread starting with that message for a discussion of it. Specially take a look at (http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-11-8&msg=382AD8E0.304928DD () core-sdi com) where you can find an example of an exploit passing StackGuard on a double buffer overflow.
Alternatively (and higher performance?) Solaris 2 has a kernel parameter that can be set to make the stack non-executable.
Again I can use the same example: BIND. The exploit for Solaris' BIND is not trivial, and in fact uses a double buffer overflow, with the second part overwritten being libc's code segment, which is executable (of course) and is writeable in Solaris up to 2.51 (I don't know in 2.6 and 2.7, should be the same) So, while StackGuard is a solution for a lot of buffer overflows, you can't feel secured to this kind of attacks just by using it. richie -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- securing bind Jan Stifter (Nov 17)
- Re: securing bind Craig H. Rowland (Nov 17)
- Re: securing bind chuck (Nov 18)
- Re: securing bind Ken Hardy (Nov 21)
- Re: securing bind Crispin Cowan (Nov 22)
- Re: securing bind Crispin Cowan (Nov 23)
- Re: securing bind Saravana Ram (Nov 23)
- Who to blame (was RE: securing bind) Anton J Aylward (Nov 26)
- Re: securing bind Gerardo Richarte (Nov 26)
- Re: securing bind Craig H. Rowland (Nov 17)
- <Possible follow-ups>
- Fwd: Re: securing bind Predrag Zivic (Nov 28)