SSP & Lenny
~# dpkg -l libc6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-======================================-======================================-============================================================================================
ii libc6 2.7-18
GNU C Library: Shared libraries
~# dpkg -l gcc
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-======================================-======================================-============================================================================================
ii gcc 4:4.3.2-2
The GNU C compiler
~# which gcc
/usr/bin/gcc
~# ls -al /usr/bin/gcc
lrwxrwxrwx 1 root root 7 2009-03-24 06:36 /usr/bin/gcc -> gcc-4.3
~# cat buggy.c
#include <stdio.h>
#include <stdlib.h>
int main( int argc, char *argv[] )
{
// Static buffer on the stack.
char buffer[1024];
if ( argc != 2 )
{
printf("Usage: %s argument\n", argv[0] );
return( -1 );
}
// Unbound string copy.
strcpy( buffer, argv[1]);
printf( "Copied argument\n" );
return(0);
}
~# gcc -fstack-protector-all -pie -fPIE -z relro -o buggy buggy.c
buggy.c: In function ‘main’:
buggy.c:16: warning: incompatible implicit declaration of built-in
function ‘strcpy’
~# ./checksec-new.sh --file buggy
RELRO STACK CANARY NX/PaX PIE FILE
Partial RELRO Canary found NX enabled PIE enabled buggy
~# ./buggy `perl -e 'print "X"x2048'`
Copied argument
Segmentation fault (core dumped)
~# ./print-canary buggy
canary value: ff0a000000000000
Two things seem amiss here, first it doesn't look like ssp is working
at all whereas it worked fine on etch:
etch32-packager:~# dpkg -l libc6
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-======================================-======================================-============================================================================================
ii libc6 2.3.6.ds1-13etch9+b1
GNU C Library: Shared libraries
etch32-packager:~# dpkg -l gcc
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version
Description
+++-======================================-======================================-============================================================================================
ii gcc 4.1.1-15
The GNU C compiler
etch32-packager:~# ./buggy `perl -e 'print "X"x2048'`
Copied argument
*** stack smashing detected ***: buggy terminated
Illegal instruction
The other problem is that the Lenny libc6 doesn't appear to be
compiled with —enable-stackguard-randomization, this causes the canary
to always be a predictable "ff0a000000000000".
References:
http://www.grsecurity.net/~spender/checksec-new.sh
http://census-labs.com/news/2009/01/21/static-ssp-canary-debian-libc6/
http://www.debian-administration.org/articles/408
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511811
--
Kyle
Reply to: