Bugtraq mailing list archives

Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies

From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Sun, 28 Apr 2002 22:27:10 +0200 (EEST)

On Tue, 23 Apr 2002, [iso-8859-1] Iván Arce wrote:

1) Control of function's arguments

In [8] and [9] a method to exploit stack based buffer overflows on stack
protected
programs is presented. In the example, a local pointer is used to write to
arbitrary
memory locations within the program's memory space. This technique can be
extended
to exploit the fact that in standard C compiled programs, function arguments
are located
in the stack at "higher" addresses than the return address:


Above technique (extended) WAS described in [8]
(http://www.phrack.org/show.php?p=56&a=5):

"In this example we have our pointer (dst) on the stack beyond the canary
and RET value, so we cannot change it without killing the canary and
without being caught...

Or can we?

Both StackGuard and StackShield check whether RET was altered before the
function returns to its caller (this done at the very end of function).
In most cases we have enough time here to do something to take control of
a vulnerable program.

We can do it by overwriting the GOT entry of the next library function
called.

We don't have to worry about the order of local variables and since we
don't care if canary is alive or not, we can play!"

2) Returning with an altered frame pointer


It WAS described in [8] also:
"StackShield protection can be bypassed by overwriting the saved %ebp
which is not protected. One way of exploiting it (under the worst
conditions) was described in >>The Frame Pointer Overwrite<< by klog in
Phrack 55 [4]."

"[4] klog. The Frame Pointer Overwrite
     http://www.phrack.com/search.phtml?view&article=p55-8";

4) Pointing the caller's frame to the Global Offset Table (GOT)


VERY interestin aproach! :)


All I wanted to say is that most of above was described (clearly? ;) in
the fall of 1999 and published in May 2000.

Anyway: THX for credits.

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners

Current thread:

CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies Iván Arce (Apr 24)
- Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies Mariusz Woloszyn (Apr 29)