oss-sec mailing list archives
Re: Offset2lib: bypassing full ASLR on 64bit Linux
From: Kees Cook <keescook () chromium org>
Date: Thu, 4 Dec 2014 15:47:34 -0800
On Thu, Dec 04, 2014 at 09:19:04PM +0100, Hector Marco wrote:
This is a disclosure of a weakness of the ASLR Linux implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. We named this weakness: offset2lib. In this scenario, an attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.) by knowing only an address belonging to the application and the offset2lib value. We have built a PoC which bypasses on a 64 bit Linux system, the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). The exploit obtains a remote shell in less than one second. We have proposed the ASLRv3 which is a small Linux patch which removes the offset2lib weakness. Details of the weakness, steps to exploit the offset2lib weakness, a working proof of concept exploit, recommendations and a demonstrative video has been publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
Thanks for the research! Following the submission guidelines[1], please send your ASLRv3 patch to upstream at linux-kernel () vger kernel org and CC the following people: Andrew Morton <akpm () linux-foundation org> Thomas Gleixner <tglx () linutronix de> Ingo Molnar <mingo () redhat com> "H. Peter Anvin" <hpa () zytor com> Russell King <linux () arm linux org uk> Catalin Marinas <catalin.marinas () arm com> Will Deacon <will.deacon () arm com> Oleg Nesterov <oleg () redhat com> Andy Lutomirski <luto () amacapital net> Kees Cook <keescook () chromium org> I noticed in testing that this hugely reduces the available mmap space available to 32-bit processes. I suspect this is what this wasn't done before. Thanks! -Kees [1] https://www.kernel.org/doc/Documentation/SubmittingPatches -- Kees Cook Chrome OS Security
Current thread:
- Offset2lib: bypassing full ASLR on 64bit Linux Hector Marco (Dec 04)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Kees Cook (Dec 04)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Agostino Sarubbo (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Shawn (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Florian Weimer (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Paul Pluzhnikov (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Florian Weimer (Dec 05)