18
Mar
One day I was reviewing all bugs in bugtraq IDs (popular bids). I want to know which kind of bugs is it now popular and what is the trend of modern bugs. I came to two main conclusions:
1) The most popular are SQL/XSS bugs but in 60% this is found in software which nobody knows/uses (stupid kiddie)
2) We’ve got 2010 year and there is still possible to find stack overflow bugs! The most funny thing for me there is more remote stack overflow bugs than local 🙂
Stack overflow bugs is one of the oldest class of software bugs which still exists – more-less 10% of all bugs ! Of course it isn’t 199x year that you can find it using regexpression for ‘grep’ program. So what is conclusion? Exploit stack overflow bugs is still interesting from attackers point of view. The question is “Is it still possible to exploit this class of bugs in modern UNIX systems in 2010 year?”. The answer for this question isn’t simple. Let’s do simple review of modern defence systems. We’ve got:
*) Non-exec memory (not only stack – almost every region where it is NOT necessary) *) W^X – “Write XOR Exec” memory. It forbids memory with Write and Exec bits in the same time.*) AAAS – ASCII Armored Address Space *) ASLR – Address Space Layout Randomization *) mmap() and mprotect() protections
*) Heap protections – like safe-unlink(), safe malloc() implementation (OpenBSD) *) Random canary of death protections ——————————-|
*) frame pointer protection by canary of death |
*) move all pointers to the beginning of the frame |==> pro-police
*) move all local byte arrays to the end of the frame | protection (SSP) *) Vulnerable arguments copied to the local variables and then reordered—-| .
We can bypass most of this protection but if it isn’t connected. Is there any possibilities to exploit in modern UNIX systems REMOTE stack overflow bugs with enabled ALL of this protections?! It sounds crazy… but STILL we CAN DO IT 🙂 I wrote simple server with remote stack overflow bug and EXPLOIT it. Proof Of Concept of course is private but I created a movie of exploiting. You can find it here:
http://site.pi3.com.pl/priv/bypass-all-protections.flv
We’ve got 2010 year and we can still exploit remote stack overflow bugs in modern UNIX systems 🙂 Amazing… but it could be that this techniques (yes it isn’t one technique which is used to exploit this bug) is the last opportunity to exploiting remote stack overflow bugs… OK so… have a nice watching 🙂
Best regards,
Adam Zabrocki
Comments
Leave a Reply
z33d on 03.18.2010
Is there any new concept or ninja trick? For me
it seems that it’s nothing new, you simply brute force canary value, guessing one byte at time. Or am I wrong?
admin on 03.18.2010
Yes, there is. Canary is only one of the defence which i bypass remotely. Problem is to bypassing all protections using remote attack. This show it is possible.
Gu1 on 03.19.2010
Another article with more details about how you did it would be great. That would be much more explanatory than this video.
Newlog on 04.28.2010
I’m with Gu1 😀
etho on 05.25.2010
Can you public code of vulnerable server?
admin on 05.25.2010
I’m preparing paper about details how to exploit remote stack overflow bugs. There will be server and exploit code…
dev/null on 05.27.2010
I belive the reason there is more remote b0f now is because the amount of network service based s.w has dominated the market,
h00w on 06.23.2010
w00w its so elite :)) are u planning to release a paper about your technique? i will wait for it :))
admin on 06.24.2010
Probably yes, but I don’t know when and where 😉
klondike on 12.06.2010
Is funny how new random canaries are not generated on each fork() call. Of course the ASLR bypass is unavoidable although I’d like to see that exploit working on an amd64 machine 😛
The funny thing is that it is very easy to fix.
admin on 12.06.2010
Here is more technical details:
http://phrack.org/issues.html?issue=67&id=13#article
a on 06.22.2012
Hello,
Source code of this?
twitter handle?:)
Thanks,
admin on 06.22.2012
It is public since November 2011 as part of my publication in Phrack magazine. Please take a look here:
http://blog.pi3.com.pl/?p=136
a on 06.24.2012
Yeah, I have already found it, thanks!
I’m the guy who added you on LI also.