oss-sec mailing list archives

Re: Offset2lib: bypassing full ASLR on 64bit Linux

From: Kees Cook <keescook () chromium org>
Date: Thu, 4 Dec 2014 15:47:34 -0800

On Thu, Dec 04, 2014 at 09:19:04PM +0100, Hector Marco wrote:

This is a disclosure of a weakness of the ASLR Linux implementation.
The problem appears when the executable is PIE compiled and it has an
address leak belonging to the executable. We named this weakness:
offset2lib.

In this scenario, an attacker is able to de-randomize all mmapped
areas (libraries, mapped files, etc.) by knowing only an address
belonging to the application and the offset2lib value.

We have built a PoC which bypasses on a 64 bit Linux system, the three
most widely adopted and effective protection techniques: No-eXecutable
bit (NX), address space layout randomization (ASLR) and stack smashing
protector (SSP). The exploit obtains a remote shell in less than one
second.

We have proposed the ASLRv3 which is a small Linux patch which removes
the offset2lib weakness.

Details of the weakness, steps to exploit the offset2lib weakness, a working
proof of concept exploit, recommendations and a demonstrative video
has been
publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html


Thanks for the research! Following the submission guidelines[1], please
send your ASLRv3 patch to upstream at linux-kernel () vger kernel org and
CC the following people:

        Andrew Morton <akpm () linux-foundation org>
        Thomas Gleixner <tglx () linutronix de>
        Ingo Molnar <mingo () redhat com>
        "H. Peter Anvin" <hpa () zytor com>
        Russell King <linux () arm linux org uk>
        Catalin Marinas <catalin.marinas () arm com>
        Will Deacon <will.deacon () arm com>
        Oleg Nesterov <oleg () redhat com>
        Andy Lutomirski <luto () amacapital net>
        Kees Cook <keescook () chromium org>

I noticed in testing that this hugely reduces the available mmap space
available to 32-bit processes. I suspect this is what this wasn't done
before.

Thanks!

-Kees

[1] https://www.kernel.org/doc/Documentation/SubmittingPatches

-- 
Kees Cook
Chrome OS Security

Current thread:

Offset2lib: bypassing full ASLR on 64bit Linux Hector Marco (Dec 04)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Kees Cook (Dec 04)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Agostino Sarubbo (Dec 05)
  - Re: Offset2lib: bypassing full ASLR on 64bit Linux Shawn (Dec 05)
- Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
  - Re: Offset2lib: bypassing full ASLR on 64bit Linux Florian Weimer (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Daniel Micay (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Hanno Böck (Dec 05)
    - Re: Offset2lib: bypassing full ASLR on 64bit Linux Paul Pluzhnikov (Dec 05)

(Thread continues...)