lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141211224501.2292cdee@pc>
Date:	Thu, 11 Dec 2014 22:45:01 +0100
From:	Hanno Böck <hanno@...eck.de>
To:	linux-kernel@...r.kernel.org
Cc:	security@...nel.org
Subject: VDSO randomization not very random

Hello,

I already reported this into your bugzilla, however Greg KH told me it
might be a better idea to post it here:

With current Linux kernels it seems the address randomization for
loading the vdso library is not that random and can easily be
bruteforced.

This can easily be demonstrated. Get libvdso address from one
executable:
$ ldd /usr/bin/less|grep vdso
	linux-vdso.so.1 (0x00007fff73bfe000)

Now run ldd mutliple times and check if the same address appears:
c=0; while (true); do let c=c+1; ldd /usr/bin/less|grep
0x00007fff73bfe000; [ "$?" == 0 ] && echo $c; done

It usually takes only a few seconds and around 1000-2000 tries until
the loading address is repeated (note that results may vary, it seems
the randomization is biased, some values repeat more often than others).

This information is mostly from this blog entry:
http://v0ids3curity.blogspot.in/2014/12/return-to-vdso-using-elf-auxiliary.html
And here's a thread on oss-security discussing the issue:
http://www.openwall.com/lists/oss-security/2014/12/09/10

The latest version of paxtest added a check for this that guesses the
randomness of vdso:
https://grsecurity.net/~spender/paxtest-0.9.13.tar.gz $ ./randvdso 
VDSO randomisation test                  : 11 quality bits (guessed)

Bugzilla entry:
https://bugzilla.kernel.org/show_bug.cgi?id=89591

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ