I was heavily playing with Stack Smashing Protector a few years ago. Some of my research (observation) I decided to publish on phrack magazine but not everything. Two years ago my professional life moved to the Windows environment and unfortunately I didn’t have time to play with UNIX world as much as before. One weekend I decided to reanalyze SSP code again and this write-up is describing a few of my observations I’ve made during the work…
… which can be shortly summarized as:
Not security related…
- We can change program’s name (from SSP perspective) via overwriting memory region where pointer to “argv” points to.
- We can crash Stack Smashing Protector code in many ways:
- Via corrupting memory region pointed by “__environ” variable.
- Via setting “LIBC_FATAL_STDERR_” to the edge of valid addresses.
- Via forcing “alloca()” to fail – e.g. stack exhaustion.
- There is one more bug which I’m analyzing more comprehensively at point 4. It may indirectly force SSP to crash. It exists in DWARF stack (state) machine which is responsible for gathering information about the stack trace (“__backtrace()”) and prints it.
- We can slightly control SSP’s execution flow. (Un)Fortunately it doesn’t have any influence for the main execution (what about security?). Following scenarios are possible:
- Force SSP to open “/dev/tty”
- Force SSP not to open “/dev/tty” and assign to the “fd” descriptor “STDERR_FILENO” value:
#define STDERR_FILENO 2 /* Standard error output. */
- Crash SSP via 2b. scenario
- We can crash indirectly SSP via unwinding algorithm (read-AV or we can be killed by “gcc_unreachable” or “gcc_assert” function) – DWARF stack (state) machine:
- Simulate FDE object was not found
- Simulate FDE object was found.
Somehow security related…
- We can force SSP to allocate a lot of memory and cause Denial of Service via Resource Exhaustion attack.
- Theoretical Information leak:
- Stack cookie information leak.
- Any kind of information leak
- File corruption.
Full write-up is available here 🙂
Adam ‘pi3’ Zabrocki