{"id":485,"date":"2014-03-27T04:00:26","date_gmt":"2014-03-27T03:00:26","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=485"},"modified":"2014-03-27T04:02:22","modified_gmt":"2014-03-27T03:02:22","slug":"adventure-with-stack-smashing-protector-ssp","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=485","title":{"rendered":"Adventure with Stack Smashing Protector (SSP)"},"content":{"rendered":"<p><b><span style=\"text-decoration: underline; font-size: 20px;\">Introduction.<\/span><\/b><\/p>\n<p>I was heavily playing with Stack Smashing Protector a few years ago. Some of my research (observation) I decided to publish on phrack magazine but not everything. Two years ago my professional life moved to the Windows environment and unfortunately I didn\u2019t have time to play with UNIX world as much as before. One weekend I decided to reanalyze SSP code again and this write-up is describing a few of my observations I\u2019ve made during the work\u2026<\/p>\n<p>\u2026 which can be shortly summarized as:<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"text-decoration: underline;\">Not security related\u2026<\/span><\/p>\n<ol>\n<li>We can change program\u2019s name (from SSP perspective) via overwriting memory region where pointer to &#8220;argv[0]&#8221; points to.<\/li>\n<li>We can crash Stack Smashing Protector code in many ways:\n<ol type=\"a\">\n<li>Via corrupting memory region pointed by &#8220;__environ&#8221; variable.<\/li>\n<li>Via setting &#8220;LIBC_FATAL_STDERR_&#8221; to the edge of valid addresses.<\/li>\n<li>Via forcing &#8220;alloca()&#8221; to fail \u2013 e.g. stack exhaustion.<\/li>\n<li>There is one more bug which I\u2019m analyzing more comprehensively at point 4. It may indirectly force SSP to crash. It exists in DWARF stack (state) machine which is responsible for gathering information about the stack trace (&#8220;__backtrace()&#8221;) and prints it.<\/li>\n<\/ol>\n<\/li>\n<li>We can slightly control SSP\u2019s execution flow. (Un)Fortunately it doesn\u2019t have any influence for the main execution (what about security?). Following scenarios are possible:\n<ol type=\"a\">\n<li>Force SSP to open &#8220;\/dev\/tty&#8221;<\/li>\n<li>Force SSP <i><span style=\"text-decoration: underline;\">not<\/span><\/i> to open &#8220;\/dev\/tty&#8221; and assign to the &#8220;fd&#8221; descriptor &#8220;STDERR_FILENO&#8221; value:<\/li>\n<\/ol>\n<p>#define STDERR_FILENO 2 \/* Standard error output. *\/<\/p>\n<ol start=\"3\" type=\"a\">\n<li>Crash SSP via 2b. scenario<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol start=\"4\">\n<li>We can crash indirectly SSP via unwinding algorithm (read-AV or we can be killed by &#8220;gcc_unreachable&#8221; or &#8220;gcc_assert&#8221; function) \u2013 DWARF stack (state) machine:\n<ol type=\"a\">\n<li>Simulate FDE object was not found<\/li>\n<li>Simulate FDE object was found.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\">Somehow security related\u2026<\/span><\/p>\n<ol>\n<li>We can force SSP to allocate a lot of memory and cause Denial of Service via Resource Exhaustion attack.<\/li>\n<li>Theoretical Information leak:\n<ol type=\"a\">\n<li>Stack cookie information leak.<\/li>\n<li>Any kind of information leak<\/li>\n<li>File corruption.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>Full write-up is available <a href=\"http:\/\/site.pi3.com.pl\/papers\/ASSP.pdf\" target=\"_blank\">here <\/a>\ud83d\ude42<br \/>\n&nbsp;<br \/>\n&nbsp;<br \/>\nBest regards,<br \/>\nAdam &#8216;pi3&#8217; Zabrocki<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction. I was heavily playing with Stack Smashing Protector a few years ago. Some of my research (observation) I decided to publish on phrack magazine but not everything. Two years ago my professional life moved to the Windows environment and unfortunately I didn\u2019t have time to play with UNIX world as much as before. One [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-485","post","type-post","status-publish","format-standard","hentry","category-o-wszystkim-i-o-niczym"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=485"}],"version-history":[{"count":10,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/485\/revisions"}],"predecessor-version":[{"id":495,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/485\/revisions\/495"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}