lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <o2w4a6942471004271134nd02477bbm57afbcdba9fb0f8d@mail.gmail.com>
Date: Tue, 27 Apr 2010 14:34:35 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Fun with FORTIFY_SOURCE

I wanted to share a neat little trick I discovered while playing with
gcc's FORTIFY_SOURCE feature.  For those who don't know, this feature
attempts to prevent exploitation of a subset of buffer overflows by
inserting a set of checks at compile-time, including stack canaries
for some functions.  It's enabled by default in many cases.  In
particular, when FORTIFY_SOURCE detects an overflow, it aborts
execution and prints an error message that might look similar to the
following:

*** stack smashing detected ***: ./strcpy terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0x502b30]
/lib/libc.so.6(__fortify_fail+0x0)[0x502af0]
./strcpy[0x80484d5]
[0x41414141]
======= Memory map: ========
...
Aborted

Notice that this error message contains a reference to the
application's name, which is obtained by simply relying on argv[0].
Assuming the application was aborted because of a controllable
stack-based buffer overflow, in some cases an attacker may be able to
continue overflowing past the vulnerable buffer, overwriting the
argv[0] pointer, causing the error message to print arbitrary memory
addresses, as in the following contrived example:

$ ./strcpy `perl -e 'print "\xa0\x85\x04\x08"x80'`

*** stack smashing detected ***: THIS IS A SECRET terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x40)[0x1f3b30]
/lib/libc.so.6(__fortify_fail+0x0)[0x1f3af0]
THIS IS A SECRET[0x80484d5]
THIS IS A SECRET[0x80485a0]
======= Memory map: ========
...
Aborted

If an attacker ever stumbles upon a setuid application with an
overflow that's caught by FORTIFY_SOURCE, this may be used to read the
application's address space (which may contain sensitive information),
even if code execution is mitigated.  Because it relies on the
existence of another vulnerability, I wouldn't consider this a serious
issue by any means, but it's probably something that's worth fixing
eventually.

Happy hacking,
Dan Rosenberg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ