Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
On Mon, Feb 16, 2009 at 09:00:33AM -0500, ArcSighter Elite wrote: James Matthews wrote: I would recommend doing the following things. 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look at the source) 2. Use GCC to see where the execution is being redirected and so you can have a better visual of whats going on. 3. Are you sure the stack is executable? _fortify_fail is caused by the light weight buffer overflow checking, enabled by the -D_FORTIFY_SOURCE=2 compile time flag. Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James Matthews wrote:
I would recommend doing the following things.
1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look
at the source)
2. Use GCC to see where the execution is being redirected and so you can
have a better visual of whats going on.
3. Are you sure the stack is executable?
On Sat, Feb 14, 2009 at 12:30 AM, Marcus Meissner meiss...@suse.de wrote:
On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
I came across a problem that I am sure many security researchers have
seen
before:
ja...@uboo:~$ cat bof.c
#include stdio.h
#include string.h
int main()
{
char buf[512];
memset(buf, 'A', 528);
return 0;
}
ja...@uboo:~$
ja...@uboo:~$ ./bof
*** stack smashing detected ***: ./bof terminated
=== Backtrace: =
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f08548]
ja...@uboo:~$
I have googled my brains out for a solution, but all I have gathered is
that
my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the
return address it also overwrites the canary's value, and triggers a stop
in
the program. I've disassembled it and anybody who can help me probably
doesn't need me to explain much more, but I would like to know a way to
get
this. There seems to be some people on this list who may know something
on
how to exploit on *nix systems with this protection enabled.
I do not want to just disable the protection and exploit it normally, I
want
Perhaps you should learn first exactly _what_ caught your buffer overflow.
Hint: It was not SSP aka -fstack-protector.
Ciao, Marcus
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Ubuntu and recent kernels also implement ASLR. So, that may be the
issue, besides StackGuard.
Sincerely.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iD4DBQFJmXGAH+KgkfcIQ8cRAmG0AJ0c9rFv2hd43oP2iR8EYCRC0gwKgwCYpXqo
1kRbO2tqcJ31JrUw3uNiRA==
=FGDQ
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:037 ] bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:037 http://www.mandriva.com/security/ ___ Package : bind Date: February 16, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265). ___ Updated Packages: Mandriva Linux 2008.0: 1995bb55159c0b12b434c57b7c32a305 2008.0/i586/bind-9.4.2-1.3mdv2008.0.i586.rpm 7942542098d37b1be3b3cc45ed824a3a 2008.0/i586/bind-devel-9.4.2-1.3mdv2008.0.i586.rpm 88a21619673fe9b541579f287bee4ca4 2008.0/i586/bind-utils-9.4.2-1.3mdv2008.0.i586.rpm 4a8ba040ab7d3fb9c710bcfeb7601ff9 2008.0/SRPMS/bind-9.4.2-1.3mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 45a0c84471cbf3c31da2f51b07e5dcdd 2008.0/x86_64/bind-9.4.2-1.3mdv2008.0.x86_64.rpm 83e3b9c4af4789fc9156887373e190ad 2008.0/x86_64/bind-devel-9.4.2-1.3mdv2008.0.x86_64.rpm a1d910a92913bb809e976963335d3ec9 2008.0/x86_64/bind-utils-9.4.2-1.3mdv2008.0.x86_64.rpm 4a8ba040ab7d3fb9c710bcfeb7601ff9 2008.0/SRPMS/bind-9.4.2-1.3mdv2008.0.src.rpm Mandriva Linux 2008.1: b1d620b91aeeeda30eddde159f458aa9 2008.1/i586/bind-9.5.0-3.3mdv2008.1.i586.rpm 6266f0be18de71d9d9674f4773fbc720 2008.1/i586/bind-devel-9.5.0-3.3mdv2008.1.i586.rpm a08062c8bd8ce1395525d7775eaefc71 2008.1/i586/bind-doc-9.5.0-3.3mdv2008.1.i586.rpm c0aa3cf70be87286222ddcec64933ddd 2008.1/i586/bind-utils-9.5.0-3.3mdv2008.1.i586.rpm 209ce678e0643ba458c59b279326ca57 2008.1/SRPMS/bind-9.5.0-3.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 46af49a5a461d6da93441fcfc46f9324 2008.1/x86_64/bind-9.5.0-3.3mdv2008.1.x86_64.rpm ca7a532053219a09a57f6ec7203d1ced 2008.1/x86_64/bind-devel-9.5.0-3.3mdv2008.1.x86_64.rpm 7cea9c996e69430c51de22e3e0bff929 2008.1/x86_64/bind-doc-9.5.0-3.3mdv2008.1.x86_64.rpm fe5816ec0c790a0bef2ddb1df281af12 2008.1/x86_64/bind-utils-9.5.0-3.3mdv2008.1.x86_64.rpm 209ce678e0643ba458c59b279326ca57 2008.1/SRPMS/bind-9.5.0-3.3mdv2008.1.src.rpm Mandriva Linux 2009.0: 5da06c9a5d6f211c4dec3ba08e96b436 2009.0/i586/bind-9.5.0-6.3mdv2009.0.i586.rpm 5d44ff32935f2323491a96ac4a01a254 2009.0/i586/bind-devel-9.5.0-6.3mdv2009.0.i586.rpm 9640415878cb94e4d7cb6325ecf3c196 2009.0/i586/bind-doc-9.5.0-6.3mdv2009.0.i586.rpm 69c0964ae640f731b82607059aa86873 2009.0/i586/bind-utils-9.5.0-6.3mdv2009.0.i586.rpm 21042dd8411237227c4cc18eade02d07 2009.0/SRPMS/bind-9.5.0-6.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 6aa7b310659ebc0f2d285aac499966f4 2009.0/x86_64/bind-9.5.0-6.3mdv2009.0.x86_64.rpm 0f4843c929135d38494c155eb5517958 2009.0/x86_64/bind-devel-9.5.0-6.3mdv2009.0.x86_64.rpm e3398d5b0e877cf6b6a2413e5f9546f4 2009.0/x86_64/bind-doc-9.5.0-6.3mdv2009.0.x86_64.rpm 24a0d8fafe7c210bc85434983cc2eeb1 2009.0/x86_64/bind-utils-9.5.0-6.3mdv2009.0.x86_64.rpm 21042dd8411237227c4cc18eade02d07 2009.0/SRPMS/bind-9.5.0-6.3mdv2009.0.src.rpm Corporate 3.0: 3c9378a0167e263e83d9105ac7d0566e corporate/3.0/i586/bind-9.2.3-6.7.C30mdk.i586.rpm fc5c1335f1a85e450d3dd20ed81e621f corporate/3.0/i586/bind-devel-9.2.3-6.7.C30mdk.i586.rpm 8e1a0a718eb51de4e70b9287266b0c75 corporate/3.0/i586/bind-utils-9.2.3-6.7.C30mdk.i586.rpm c7e931c9818e0731ed32c12e7e9011b4 corporate/3.0/SRPMS/bind-9.2.3-6.7.C30mdk.src.rpm Corporate 3.0/X86_64: cd4653ae14e91c5844d87321ea237c7c corporate/3.0/x86_64/bind-9.2.3-6.7.C30mdk.x86_64.rpm 708b8bbdb1fa1d2150c8cb5208bf8d24 corporate/3.0/x86_64/bind-devel-9.2.3-6.7.C30mdk.x86_64.rpm 7a3cc2cbe29c9c8397bdcdcd63b543fc corporate/3.0/x86_64/bind-utils-9.2.3-6.7.C30mdk.x86_64.rpm c7e931c9818e0731ed32c12e7e9011b4 corporate/3.0/SRPMS/bind-9.2.3-6.7.C30mdk.src.rpm Corporate 4.0: 91ee1fc0fa2836df33aad4c3ee72ab8d corporate/4.0/i586/bind-9.3.5-0.6.20060mlcs4.i586.rpm 9687a3135e2f364defc1805be357afe5 corporate/4.0/i586/bind-devel-9.3.5-0.6.20060mlcs4.i586.rpm 1796c645d6562c03e75653a8a2de65ab corporate/4.0/i586/bind-utils-9.3.5-0.6.20060mlcs4.i586.rpm ec3f68ba6cb3085f82d6fe824e80229f corporate/4.0/SRPMS/bind-9.3.5-0.6.20060mlcs4.src.rpm Corporate 4.0/X86_64: 744a195594365d711938d0e40305f780 corporate/4.0/x86_64/bind-9.3.5-0.6.20060mlcs4.x86_64.rpm 4432e2d80856fa42f7fbb19f1f45e65d
[Full-disclosure] [ MDVSA-2009:038 ] blender
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:038 http://www.mandriva.com/security/ ___ Package : blender Date: February 16, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Blender working directory (CVE-2008-4863). This update provides fix for that vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4863 ___ Updated Packages: Mandriva Linux 2008.1: 8fe2fd2741c0a1fca74bd653d74b527f 2008.1/i586/blender-2.45-7.2mdv2008.1.i586.rpm 4714499cfd80c45bdd66f662d4bb081b 2008.1/SRPMS/blender-2.45-7.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 12b5389df35b1684cf477c446954a55b 2008.1/x86_64/blender-2.45-7.2mdv2008.1.x86_64.rpm 4714499cfd80c45bdd66f662d4bb081b 2008.1/SRPMS/blender-2.45-7.2mdv2008.1.src.rpm Mandriva Linux 2009.0: eef9857e521b4abde0d3b7c47a9cb9a5 2009.0/i586/blender-2.47-2.1mdv2009.0.i586.rpm 141773f95893bd41224e43381a1ccd86 2009.0/SRPMS/blender-2.47-2.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: d9b2eb8c7da84a952aba2d765f7b42de 2009.0/x86_64/blender-2.47-2.1mdv2009.0.x86_64.rpm 141773f95893bd41224e43381a1ccd86 2009.0/SRPMS/blender-2.47-2.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJmWygmqjQ0CJFipgRAkE5AJ9Xv9+PFZlZtXQKOJoQO70HohMyNgCgw6lI lMhR+TqWhoALKmCBm+Ov1XU= =RvXK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:039 ] gedit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:039 http://www.mandriva.com/security/ ___ Package : gedit Date: February 16, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current gedit working directory (CVE-2009-0314). This update provides fix for that vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0314 ___ Updated Packages: Mandriva Linux 2008.1: ddb94747dc541a7d072bb4c543070fd7 2008.1/i586/gedit-2.22.0-1.1mdv2008.1.i586.rpm 578e6f94403e97a89193d7a12145bacd 2008.1/i586/gedit-devel-2.22.0-1.1mdv2008.1.i586.rpm fcc497a78b853aab0a6964ad1edd659f 2008.1/SRPMS/gedit-2.22.0-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: bf94638effcf8a932691c75b6c457a4f 2008.1/x86_64/gedit-2.22.0-1.1mdv2008.1.x86_64.rpm 5f04e2a993a47d9438b6707a532a7ddb 2008.1/x86_64/gedit-devel-2.22.0-1.1mdv2008.1.x86_64.rpm fcc497a78b853aab0a6964ad1edd659f 2008.1/SRPMS/gedit-2.22.0-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: e58b21b75e89b81211b8220523a5dd0d 2009.0/i586/gedit-2.24.0-1.1mdv2009.0.i586.rpm 757bc407cc43122272d1bacef5ce8a32 2009.0/i586/gedit-devel-2.24.0-1.1mdv2009.0.i586.rpm 07970b1c57aa2f6bb22bfc9cb403268b 2009.0/SRPMS/gedit-2.24.0-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: c23506f8647266e4ebfc390536bc2b39 2009.0/x86_64/gedit-2.24.0-1.1mdv2009.0.x86_64.rpm 2e3c0751171aa613c4a65cd963b0f325 2009.0/x86_64/gedit-devel-2.24.0-1.1mdv2009.0.x86_64.rpm 07970b1c57aa2f6bb22bfc9cb403268b 2009.0/SRPMS/gedit-2.24.0-1.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJmXxGmqjQ0CJFipgRAkfAAJ9t3goTdKhfjOsM5HnBtogUvB4kRQCgjval ruVz10mVcKkweQgP4bQ2YDk= =WSi/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:040 ] dia
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:040 http://www.mandriva.com/security/ ___ Package : dia Date: February 16, 2009 Affected: 2008.1, 2009.0 ___ Problem Description: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current dia working directory (CVE-2008-5984). This update provides fix for that vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5984 ___ Updated Packages: Mandriva Linux 2008.1: 307728790d5ed938afc2cdc971430828 2008.1/i586/dia-0.96.1-3.1mdv2008.1.i586.rpm 9d83cd4ed0a42cf5e32a68482f72faee 2008.1/SRPMS/dia-0.96.1-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 16307a8d776d714e38c926419bdc655c 2008.1/x86_64/dia-0.96.1-3.1mdv2008.1.x86_64.rpm 9d83cd4ed0a42cf5e32a68482f72faee 2008.1/SRPMS/dia-0.96.1-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 060d069bb0196938f93e2e08bf802b85 2009.0/i586/dia-0.96.1-4.1mdv2009.0.i586.rpm 0be95063e54104fe001d1d560c77baf0 2009.0/SRPMS/dia-0.96.1-4.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ca9a9cf5a8b3726661a62f93a2a3f227 2009.0/x86_64/dia-0.96.1-4.1mdv2009.0.x86_64.rpm 0be95063e54104fe001d1d560c77baf0 2009.0/SRPMS/dia-0.96.1-4.1mdv2009.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJmctWmqjQ0CJFipgRAkYuAJwPDOUw7CrO/So0fnakeA2xch13RwCgxyim QMmNppOR4xc0ZDeYbe7iRds= =ruB8 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting buffer overflows via protected GCC
memset(buf, 'A', 528); Don't do that. This sort of whoops is exactly what the gcc SSP canary is designed to stop. I could comment on this, but... I'll leave it. I have googled my brains out for a solution, but all I have gathered is that my Ubuntu's gcc is compiled with SSP and everytime I try to overwrite the return address it also overwrites the canary's value, and triggers a stop in the program. I've disassembled it and anybody who can help me probably doesn't need me to explain much more, but I would like to know a way to get this. There seems to be some people on this list who may know something on how to exploit on *nix systems with this protection enabled. What you want to do is be more precise in your splatting. Instead of one memset, see if you can come up with a way to do *two* memsets, which leave your stack looking like: 'A' (above the canary) 4 unmolested bytes of canary 'A' (below the canary) Of course, if you're trying to exploit already-existing code, you probably only have one memset/strcpy you can abuse, and the starting address of the destination is already nailed down, which means you need to fill in the 4 bytes of canary correctly. This means you need to find a way to obtain the value so you can use it. One hint - sometimes you're better off targeting the stack frame 2 or 3 function calls back, rather than the *current* frame. You commenting on exploitation is kind of like asking a deaf person what their favorite song is. You obviously have no clue what you are talking about due to the fact you offered absolutely no insight in to the protection mechanism he was asking about, nor potential means of exploitation. Given this the real question remains, do you actually believe you have any clue about this stuff, or are you like Wallace and just want to post useless shit? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
