Bugtraq mailing list archives
Re: StackGuard with ... Re: [Paper] Format bugs.
From: Gerardo Richarte <core.lists.bugtraq () CORE-SDI COM>
Date: Mon, 24 Jul 2000 16:57:20 -0300
Alan DeKok wrote:
My reading of their pages and papers leads to me to conclude that they have an implicit assumption (I don't notice it explicitely stated) that the attacker does NOT have read access to the stack. The Stack Guard papers seem to assume that "blind" buffer overflows are the primary means of attack.
This is completely true, and as Crispin said, StackGuard was coined to protect against Stack Buffer Overflows, not any other type of attacks/bugs. And, as he said a while back, not to protect against all types of buffer overflows. I think it makes a good job at what it was designed, but at the same time, it leaves a lot of attacks outside its scope.
As the "Format bugs" paper pointed out, it is possible to READ the stack, as well as to write (nearly) arbitrary data to the stack of the target machine. The obvious conclusion is that SOME methods of stack "canaries" may be externally discovered, and externally bypassed. I will not go into details here, as they should be readily apparent from Pascal's paper.
You are absolutely right, and more: You don't even need to be able to read the stack, guess any canary, NOR OVERFLOW the stack, to exploit format bugs (and some other bugs). As discussed in September 1999 here in bugtraq by Crispin and me, and after that published in phrack magazine #56 by Bulba & Kil3r, if you have the ability to write any chosen address in memory, you just need to place your code somewhere, and then go and overwrite any function pointer (that'll be called) to point to your code, for example, a GOT entry, atexits() functions, signal handlers, objects destructors, or virtual method pointers, callback functions, etc. Take a look as those emails, there is an example of a vulnerable program (not format bug) and an exploit for it. links bugtraq threads: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D1999-11-08%26thread%3D3829EC71.70C61F30%40cse.ogi.edu http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D1999-11-08%26thread%3D382AD8E0.304928DD%40core-sdi.com phrack article: http://julianor.tripod.com/p56-05-bypassing_stackguard.txt In short, you don't need read to read the stack, nor guess the canary, not even overflow the stack to exploit this kind of bugs. At that time (Sep-1999), Crispin was working in a tool called "PointGuard", that was going to address this problems, I haven't heard anything about it since. richie PS: In fact, I still don't understand what attacks are protected with the random canary method, but that's my problem (and a different thread) -- A390 1BBA 2C58 D679 5A71 - 86F9 404F 4B53 3944 C2D0 Investigacion y Desarrollo - CoreLabs - Core SDI http://www.core-sdi.com --- For a personal reply use gera () core-sdi com
Current thread:
- Re: StackGuard with ... Re: [Paper] Format bugs., (continued)
- Re: StackGuard with ... Re: [Paper] Format bugs. Keith Owens (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Gerardo Richarte (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. Theo de Raadt (Jul 24)
- Chasing bugs / vulnerabilties Michael S Hines (Jul 24)
- Re: Chasing bugs / vulnerabilties Kurt Seifried (Jul 25)
- Re: StackGuard with ... Re: [Paper] Format bugs. Pascal Bouchareine (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format Ronald Huizer [Crew] (Jul 24)
- More bad censorware John Pettitt (Jul 21)
- Re: StackGuard with ... Re: [Paper] Format bugs. Gerardo Richarte (Jul 24)
- Trustix Security Advisory - nfs-utils Oystein Viggen (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Andrea Costantino (Jul 18)
- Re: [RHSA-2000:043-02] Updated package for nfs-utils available Matt Wilson (Jul 18)
- Update on TooRcon Computer Security Expo Ben (Jul 18)
- "Best Practices for Secure Web Development" whitepaper Razvan Peteanu (Jul 18)