Re: SSP & Lenny
Hi Kyle,
On Wed, Jan 27, 2010 at 03:23:34PM -0800, Kyle Bader wrote:
> ii libc6 2.7-18
> ...
> ~# gcc -fstack-protector-all -pie -fPIE -z relro -o buggy buggy.c
> ...
> Partial RELRO Canary found NX enabled PIE enabled buggy
I would add "-Wl,-z,now" to gain better RELRO support. Also, "-z relro"
is more correctly expressed as "-Wl,-z,relro". And, for even more fun,
add "-O2" (or higher) and "-D_FORTIFY_SOURCE=2". For more details, see:
http://wiki.debian.org/Hardening
https://wiki.ubuntu.com/CompilerFlags
> ~# ./buggy `perl -e 'print "X"x2048'`
> Copied argument
> Segmentation fault (core dumped)
This is probably crashing in the stack protector backtrace unwinder (you
can check under gdb), and is not vulnerable. With a smaller overflow
you can see that it is being caught:
$ ./buggy `perl -e 'print "X"x1025'`
Copied argument
*** stack smashing detected ***: ./buggy terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4b)[0xf76b058b]
/lib/libc.so.6(__fortify_fail+0x0)[0xf76b0540]
...
If I remember correctly, earlier glibc did not attempt a stack unwinding
on stack check failures.
> ~# ./print-canary buggy
> canary value: ff0a000000000000
This is expected on older kernel/glibc combinations. Debian's glibc
does not include the RedHat randomization patch for the canary. See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563637
https://bugs.edge.launchpad.net/ubuntu/+source/glibc/+bug/275493
Newer kernels (and glibc) will handle this more correctly via AT_RANDOM:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f06295b44c296c8fb08823a3118468ae343b60f2
> The other problem is that the Lenny libc6 doesn't appear to be
> compiled with —enable-stackguard-randomization, this causes the canary
> to always be a predictable "ff0a000000000000".
This option causes libc to open /dev/urandom on every exec, which ends
up being rather expensive. AT_RANDOM is the better solution and should
happen automatically if the kernel supports it.
The up-shot of the static canary is that usually it's string operations
that overflow the stack, and it's not possible to over and past a canary
with \x00 in it using the str* functions.
-Kees
--
Kees Cook @debian.org
Reply to: