One day I was reviewing all bugs in bugtraq IDs (popular bids). I want to know which kind of bugs is it now popular and what is the trend of modern bugs. I came to two main conclusions:
1) The most popular are SQL/XSS bugs but in 60% this is found in software which nobody knows/uses (stupid kiddie)
2) We’ve got 2010 year and there is still possible to find stack overflow bugs! The most funny thing for me there is more remote stack overflow bugs than local
Stack overflow bugs is one of the oldest class of software bugs which still exists – more-less 10% of all bugs ! Of course it isn’t 199x year that you can find it using regexpression for ‘grep’ program. So what is conclusion? Exploit stack overflow bugs is still interesting from attackers point of view. The question is “Is it still possible to exploit this class of bugs in modern UNIX systems in 2010 year?”. The answer for this question isn’t simple. Let’s do simple review of modern defence systems. We’ve got:*) Non-exec memory (not only stack – almost every region where it is NOT necessary) *) W^X – “Write XOR Exec” memory. It forbids memory with Write and Exec bits in the same time.
*) AAAS – ASCII Armored Address Space *) ASLR – Address Space Layout Randomization *) mmap() and mprotect() protections
*) Heap protections – like safe-unlink(), safe malloc() implementation (OpenBSD) *) Random canary of death protections ——————————-|
*) frame pointer protection by canary of death |
*) move all pointers to the beginning of the frame |==> pro-police
*) move all local byte arrays to the end of the frame | protection (SSP) *) Vulnerable arguments copied to the local variables and then reordered—-| .
We can bypass most of this protection but if it isn’t connected. Is there any possibilities to exploit in modern UNIX systems REMOTE stack overflow bugs with enabled ALL of this protections?! It sounds crazy… but STILL we CAN DO IT I wrote simple server with remote stack overflow bug and EXPLOIT it. Proof Of Concept of course is private but I created a movie of exploiting. You can find it here:
We’ve got 2010 year and we can still exploit remote stack overflow bugs in modern UNIX systems Amazing… but it could be that this techniques (yes it isn’t one technique which is used to exploit this bug) is the last opportunity to exploiting remote stack overflow bugs… OK so… have a nice watching