| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Dec 2014 21:19:04 +0100 From: Hector Marco <hecmargi@....es> To: full-disclosure@...ts.grok.org.uk, fulldisclosure@...lists.org, bugtraq@...urityfocus.com, bugs@...uritytracker.com, submissions@...ketstormsecurity.org, oss-security@...ts.openwall.com Subject: Offset2lib: bypassing full ASLR on 64bit Linux Hi, This is a disclosure of a weakness of the ASLR Linux implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. We named this weakness: offset2lib. In this scenario, an attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.) by knowing only an address belonging to the application and the offset2lib value. We have built a PoC which bypasses on a 64 bit Linux system, the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). The exploit obtains a remote shell in less than one second. We have proposed the ASLRv3 which is a small Linux patch which removes the offset2lib weakness. Details of the weakness, steps to exploit the offset2lib weakness, a working proof of concept exploit, recommendations and a demonstrative video has been publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html Hector Marco. http://cybersecurity.upv.es
Powered by blists - more mailing lists