It's Bugs All the Way Down

Security Research by Dan Rosenberg


I wanted to share a neat little trick I discovered while playing with gcc’s FORTIFY_SOURCE feature.

For those who don’t know, this feature attempts to prevent exploitation of a subset of buffer overflows by inserting a set of checks at compile-time, including stack canaries for some functions. It’s enabled by default in many cases. In particular, when FORTIFY_SOURCE detects an overflow, it aborts execution and prints an error message that might look similar to the following:

*** stack smashing detected ***: ./strcpy terminated
======= Backtrace: =========
======= Memory map: ========

Notice that this error message contains a reference to the application’s name, which is obtained by simply relying on argv[0]. Assuming the application was aborted because of a controllable stack-based buffer overflow, in some cases an attacker may be able to continue overflowing past the vulnerable buffer, overwriting the argv[0] pointer, causing the error message to print arbitrary memory addresses, as in the following contrived example:

$ ./strcpy `perl -e 'print "xa0x85x04x08"x80'`

*** stack smashing detected ***: THIS IS A SECRET terminated
======= Backtrace: =========
THIS IS A SECRET[0x80484d5]
THIS IS A SECRET[0x80485a0]
======= Memory map: ========

If an attacker ever stumbles upon a setuid application with an overflow that’s caught by FORTIFY_SOURCE, this may be used to read the application’s address space (which may contain sensitive information), even if code execution is mitigated. Because it relies on the existence of another vulnerability, I wouldn’t consider this a serious issue by any means, but it’s probably something that’s worth fixing eventually.

Happy hacking!

This entry was posted on Tuesday, April 27th, 2010 at 12:27 pm and is filed under Exploitation, Linux. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.