oss-sec mailing list archives
Re: PIE bypass using VDSO ASLR weakness
From: Reno Robert <renorobert () gmail com>
Date: Tue, 9 Dec 2014 21:03:51 +0530
Hi Daniel, COMPAT_VDSO is not enabled. Just that randomization is 20 bits and same values are generated on repeated execution. On Tue, Dec 9, 2014 at 2:08 PM, Daniel Micay <danielmicay () gmail com> wrote:
On 09/12/14 03:05 AM, Reno Robert wrote:Even in 64 bit addressing, randomization of VDSO seems to be low and the base address could be bruteforced, thus allowing to use gadgets from VDSO if not from executable. Though VDSO is not rich in gadgets, it has fewgoodones to make interesting syscalls including execve(). The below blog post describes the availability of gadgets and feasibility of bruteforce,whichcould be combined for an effective payload.http://v0ids3curity.blogspot.in/2014/12/return-to-vdso-using-elf-auxiliary.htmlrenorobert@ubuntu:~$ readelf -h ./pie ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x620 renorobert@ubuntu:~$ while true; do ldd ./pie; done | grep 0x00007fff969fe000 linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) linux-vdso.so.1 => (0x00007fff969fe000) Do we need better ASLR for VDSO to make PIE more effective?You must have COMPAT_VDSO enabled. It's randomized fine with a sane kernel configuration.
-- Regards, Reno Robert http://v0ids3curity.blogspot.in/
Current thread:
- PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Martino Dell'Ambrogio (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Mathias Krause (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 10)
- Re: PIE bypass using VDSO ASLR weakness Hanno Böck (Dec 11)
- Re: PIE bypass using VDSO ASLR weakness Greg KH (Dec 11)
- Re: PIE bypass using VDSO ASLR weakness cve-assign (Dec 26)
- Re: PIE bypass using VDSO ASLR weakness Reno Robert (Dec 09)
- Re: PIE bypass using VDSO ASLR weakness Daniel Micay (Dec 09)