Bugtraq mailing list archives
Re: "Function pointer" attacks.
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Tue, 2 Nov 1999 17:35:25 +0000
vendicator () USA NET wrote:
I don't know is this tecnique is already known but since I added a protection for it in Stack Shield I decided to post it.
The attack form is well known. There was an exploit against SuperProbe in 1997 that used this technique.
The new Stack Shield 0.6 beta has a new protection mechanism that checks on non-costant calls if the call is in the TEXT segment. This could cause problems for programs that execute code from the DATA or STACK segment, howewer this stops this kind of attack.
This is the part I wanted details on. The above paragraph is not sufficient for me to figure out what your defense against function pointer smashing is. My guess is that you're blocking indirect function calls that point to the data or stack segment. The stack segment block has an identical effect to Solar Designer's non-executable stack patch for the kernel. The data segment block is likely to cause failures for programs that emit dynamic code. Sure, emitting dynamic code is gross, but if you *are* going to do it, then function pointers is a natural way to call your dynamic code. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Stack Shield 0.6 beta relased vendicator () USA NET (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)
- Re: "Function pointer" attacks. Crispin Cowan (Nov 02)
- Re: "Function pointer" attacks. Mariusz Woloszyn (Nov 03)
- Re: Stack Shield 0.6 beta relased Crispin Cowan (Nov 01)
- "Function pointer" attacks. vendicator () USA NET (Nov 01)