Re: SSP & Lenny

To: Kyle Bader <kyle.bader@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: SSP & Lenny
From: Kees Cook <kees@debian.org>
Date: Fri, 29 Jan 2010 09:45:23 -0800
Message-id: <[🔎] 20100129174523.GB19355@outflux.net>
In-reply-to: <[🔎] 854dca5c1001271523o38ca93calac4baa80ef745707@mail.gmail.com>
References: <[🔎] 854dca5c1001271523o38ca93calac4baa80ef745707@mail.gmail.com>

Hi Kyle,

On Wed, Jan 27, 2010 at 03:23:34PM -0800, Kyle Bader wrote:
> ii  libc6                                  2.7-18
> ...
> ~# gcc -fstack-protector-all -pie -fPIE -z relro -o buggy buggy.c
> ...
> Partial RELRO   Canary found      NX enabled    PIE enabled             buggy

I would add "-Wl,-z,now" to gain better RELRO support.  Also, "-z relro"
is more correctly expressed as "-Wl,-z,relro".  And, for even more fun,
add "-O2" (or higher) and "-D_FORTIFY_SOURCE=2".  For more details, see:
http://wiki.debian.org/Hardening
https://wiki.ubuntu.com/CompilerFlags

> ~# ./buggy `perl -e 'print "X"x2048'`
> Copied argument
> Segmentation fault (core dumped)

This is probably crashing in the stack protector backtrace unwinder (you
can check under gdb), and is not vulnerable.  With a smaller overflow
you can see that it is being caught:
$ ./buggy `perl -e 'print "X"x1025'`
Copied argument
*** stack smashing detected ***: ./buggy terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4b)[0xf76b058b]
/lib/libc.so.6(__fortify_fail+0x0)[0xf76b0540]
...

If I remember correctly, earlier glibc did not attempt a stack unwinding
on stack check failures.

> ~# ./print-canary buggy
> canary value: ff0a000000000000

This is expected on older kernel/glibc combinations.  Debian's glibc
does not include the RedHat randomization patch for the canary.  See:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563637
https://bugs.edge.launchpad.net/ubuntu/+source/glibc/+bug/275493

Newer kernels (and glibc) will handle this more correctly via AT_RANDOM:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f06295b44c296c8fb08823a3118468ae343b60f2

> The other problem is that the Lenny libc6 doesn't appear to be
> compiled with —enable-stackguard-randomization, this causes the canary
> to always be a predictable "ff0a000000000000".

This option causes libc to open /dev/urandom on every exec, which ends
up being rather expensive.  AT_RANDOM is the better solution and should
happen automatically if the kernel supports it.

The up-shot of the static canary is that usually it's string operations
that overflow the stack, and it's not possible to over and past a canary
with \x00 in it using the str* functions.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- SSP & Lenny
  - From: Kyle Bader <kyle.bader@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
Next by Date: Upcoming Lenny point release; don't panic
Previous by thread: SSP & Lenny
Next by thread: Re: [SECURITY] [DSA 1981-1] New maildrop packages fix privilege escalation
Index(es):
- Date
- Thread