Monatsarchiv für April 2009

The result of my Black Hat presentation on the current protection measures in place in current linux boxes would be that systems are overall very secure as NX/DEP is deployed in every process without any exceptions, ASLR is in place by default and Stack Canary values additionaly add to security.

However, there are still some flaws that are yet to be fixed:

  • ASLR should be implemented for every page in memory. Currently exceptions are code and data sections of binaries and also the vsyscall page.
  • The kernel random number generator used for randomizations in ASLR is not as random as one expects, which allows to bypass ASLR protection, if an attacker already has local access to the system. Details on the vulnerability can be found in the according paper: Bypassing ASLR by predicting a process’ randomization
  • Stack Cookies (and this seems to be consistant with other implementations of SSP) do only protect char[] buffers with a size greater 4. There is no protection for e.g. short, int or void * buffers, which might allow some vulnerabilities to be exploitable, because SSP is not applied to the function unless the conditions stated above apply.
  • As the master canary is initialized in major Linux OS with the poor man’s randomization patch, which mainly relies on ASLR to supply randomness, an attacker can also bypass this protection using the ASLR bypassing described above.

More details can be found in either: