[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wish list

To: securedistros@nl.linux.org
Subject: Re: wish list
From: Milan Pikula - WWW <www@fornax.elf.stuba.sk>
Date: Wed, 9 Jun 1999 10:20:12 +0200 (MEST)
In-Reply-To: <375CB8A3.30CB29AB@cse.ogi.edu>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@humbolt.nl.linux.org

On Mon, 7 Jun 1999, Crispin Cowan wrote:

W>Milan Pikula - WWW wrote:
W>
W>> On Mon, 7 Jun 1999, scooby sir wrote:
W>>
W>> W>Well,
W>> W>     If i were to contribute suggestions for a secure distro of linux,
W>> W>it would  be this:
W>> W>             i)  Ship it with the international linux patch installed
W>> W>                        www.kerneli.org
W>> W>            ii)  Install the non-executable stack patch
W>>
W>> this is not a real solution.. this is a joke. there are many ways, how to
W>> override this protection and this makes me to label it as
W>> 'security by obscurity'.
W>
W>Nonsense.  The non-executable stack patch (and StackGuard) prevent attacks against
W>specific classes of vulnerabilities.  With the protections enabled, these
W>vulnerabilities CANNOT be exploited:  you have to go find
W>DIFFERENT vulnerabilities.  For that reason, they are not 'security by obscurity',
W>they are legitimate security enhancements.  Bonus points:  either one of them
W>alone can stop a MAJORITY of common security attacks, and together they stop even
W>more.

i\m sorry but i know what i am talking about. almost any exploit code CAN be
rewritten to be usable with non-executable stack patch too. in fact, i've
never seen a hole which is unusable with it.

consider this program (hole.c):

void main(int argc, char * argv[])
{
	char buffer[16];
	strcpy(buffer, argv[1]);
}

* using normal executable stack, the exploit will look like:
[16 bytes of anything][4 anything][4 address of PAD+PADSIZE/2][padding (nops)]
[code]
and code will run shell.

* another solution will be this:
[16 bytes of anything][4 anything][4 address of system() in libc][4 anything
(return address from system())][4 address of PAD+PADSIZE/2][padding ('/')]
[string /bin/sh]

with non-executable stack patch from solar designer the first attempt will
not work, because the stackis not executable. the second will not work too -
libc is mapped from address containing 0, so the address to system() cannot
be used. but program used strcpy() from libc, so it contains something
called PLT (procedure linkage table) which resides elsewhere in memory and
contains jump to the libc routine. there are many address ranges in runing
program, which are mapped READ-WRITE-EXEC. We can find such address in our
hole.c too - using /proc/pid/maps or objdump.. I'll reffer to one such address;
it may be randomly choosen from rwx mapped range (it cannot contain zero byte
of course). let's name it addr1.

* sol1
[16 bytes of anything][4 anything][4 address of strcpy() in PLT]
[4 bytes: ret from strcpy() = addr1][4 "from": address of PAD+PADSIZE/2]
[4 "to": addr1][padding (nops)][normal code which will run shell]

that will return to strcpy() (via plt - this is usable with solar's patch too),
strcpy() will copy the code from stack to the normal executable memory then
returns to it.

for a working example look at
   http://fornax.elf.stuba.sk/~www/symlink/Pineapple/Exploit/example3/

bye,
		Milan Pikula

--
Milan Pikula, WWW. Finger me for Geek Code.
http://fornax.elf.stuba.sk/~www, www@fornax.elf.stuba.sk
.. dajte mi pewnu linku a pohnem zemegulow ..


-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: wish list
  - From: Michael Cunningham <malice@exit109.com>
- Re: wish list
  - From: Crispin Cowan <crispin@cse.ogi.edu>

References:
- Re: wish list
  - From: Crispin Cowan <crispin@cse.ogi.edu>

Prev by Date: Re: Encrypted SMTP (was Re: wish list)
Next by Date: Re: wish list
Prev by thread: Re: wish list
Next by thread: Re: wish list
Index(es):
- Date
- Thread