lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5480C1B8.3030305@upv.es>
Date: Thu, 04 Dec 2014 21:19:04 +0100
From: Hector Marco <hecmargi@....es>
To: full-disclosure@...ts.grok.org.uk, fulldisclosure@...lists.org,
  bugtraq@...urityfocus.com, bugs@...uritytracker.com,
  submissions@...ketstormsecurity.org, oss-security@...ts.openwall.com
Subject: Offset2lib: bypassing full ASLR on 64bit Linux

Hi,

This is a disclosure of a weakness of the ASLR Linux implementation.
The problem appears when the executable is PIE compiled and it has an
address leak belonging to the executable. We named this weakness:
offset2lib.

In this scenario, an attacker is able to de-randomize all mmapped
areas (libraries, mapped files, etc.) by knowing only an address
belonging to the application and the offset2lib value.

We have built a PoC which bypasses on a 64 bit Linux system, the three
most widely adopted and effective protection techniques: No-eXecutable
bit (NX), address space layout randomization (ASLR) and stack smashing
protector (SSP). The exploit obtains a remote shell in less than one
second.

We have proposed the ASLRv3 which is a small Linux patch which removes
the offset2lib weakness.

Details of the weakness, steps to exploit the offset2lib weakness, a working
proof of concept exploit, recommendations and a demonstrative video has 
been
publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html


Hector Marco.

http://cybersecurity.upv.es

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ