Defeat userland exploits on Linux - ENSIMAGensiwiki.ensimag.fr/.../e/e1/...Defeat_userland_exploits_on_Linux.pdf · Full RELRO running processes on Ubuntu Maverick 10.10: No RELRO

Memory protectionsGlibc and GCC security patches

Conclusion

Defeat userland exploits on Linux

Arnaud Maillet ([email protected])

SecurIMAG - the Ensimag IT security clubENSIMAG - Computer Science and Mathematics

Grenoble INP University

SecurIMAG talks, September 2011

Arnaud Maillet SecurIMAG - Defeat userland exploits on Linux

http://ensiwiki.ensimag.fr/index.php/Portail:SecurIMAG_Ensimag_IT_security_club


Conclusion

Outline

1 Memory protectionsNon-eXecutable MemoryFull RELROPIE

2 Glibc and GCC security patchesCanaryFortify sourceHeap protector



Conclusion

Non-eXecutable MemoryFull RELROPIE

Outline





Conclusion


Non-eXecutable Memory

Reminder : Stack Overflow



Conclusion



Stack Overflow basic exploitation technics, firstly introduced byAleph1 in 1996 ( Smashing the stack for fun and profit )

Shellcode on the stack ( environment variables, stackbuffer )

Shellcode on the heap

Shellcode everywhere

Prerequisites : these sections should be eXecutable!



Conclusion



Most modern CPUs protect against executing non-executablememory regions (heap, stack, etc).

Hardware-based (via PAE mode) :

Partial Emulation (via segment limits):



Conclusion



Non-Executable Memory and recent kernel :



Conclusion



Example : 19-another-smallbug PCTF ( IDA Pseudo-code )



Conclusion



ROP : mmap an rwx area, copy a shellcode and jump ( StalkR’sexploit )



Conclusion


Outline





Conclusion


Full RELRO

Full RELRO is a generic mitigation technique to avoidGOT-overwrite-style memory corruption attacks.

compiler command line: gcc -Wl,-z,relro,-z,now

the entire Global Offset Table is (re)mapped as read-only

avoid format string and 4-byte write attacks

With partial RELRO, the GOT is not read-only.



Conclusion


Full RELRO

Reminder: understand the Global Offset Table with an example



Conclusion


Full RELRO

Display the GOT of our program :



Conclusion


Full RELRO

Full RELRO running processes on Ubuntu Maverick 10.10:

No RELRO : 1 processusPartial RELRO : 91 processusFull RELRO : 20 processus



Conclusion


Full RELRO

Full RELRO running processes on Fedora 15:




Conclusion


Full RELRO

Full RELRO running processes on Debian GNU/Linux 6.0Squeeze:




Conclusion


Full RELRO

Training : GOT-overwrite-style memory corruption attacks

Ivanlef0u’s challenge AMENRAChallenge 6 : format string / no ASLR / stack +x / partialRELRO

Challenge 7 : format string / partial ASLR / stack +x /partial RELRO

Challenge 8 : format string / partial ASLR / stack -x / partialRELRO



Conclusion


Outline





Conclusion


PIE

Position Independent Executables :

gcc command line : -pie

protects against ”return-to-text” ( ROP )

large (5-10%) performance penalty

often used for a select number of security-critical packages( openssh, apache, bind9, openldap, postfix, cup,postgresql, samba, dhcp3, squid ... )



Conclusion


PIE

In real life :

Ubuntu Desktop 10.10: 23% of running processes arecompiled with PIE

Fedora 15 : 50% of running processes are compiled withPIE

Debian Squeeze (6.0) : 35% of running processes arecompiled with PIE



Conclusion

CanaryFortify sourceHeap protector

Outline





Conclusion


Canary

Firstly introduced in Stack-Smashing Protector (SSP)

GCC patch, command line : -fstack-protector-all

reordering of local variables to place buffers after pointersto avoid the corruption of pointers

random canary to prevent EIP overwrite



Conclusion


Canary

Stack-Smashing Protector (SSP)



Conclusion


Canary

Assembly Canary Code



Conclusion


Canary

Exploiting canaries remotely in network daemon ( AdamZabrocki aka pi3 ) :

Childs and the mother share the same canary.



Conclusion


Canary

In this configuration it’s possible to find the canary with lessthan 1024 tests :



Conclusion


Canary

A stupid brute force would lead to 232 combinations(4294967296 combinations) :



Conclusion


Canary

In real life :

Ubuntu Desktop 10.10: 75% of running processes have acanary

Ubuntu Server 10.04: 85% of running processes have acanary

Fedora 15 : 95% of running processes have a canary

Debian Squeeze (6.0) : 20% of running processes have acanary



Conclusion


Outline





Conclusion


Build your programs with ”-D FORTIFY SOURCE=2”

expand unbounded calls to ”sprintf”, ”strcpy” into their ”n”length-limited cousins.stop format string ”%n” attacks when the format string is ina writable memory segment.require checking various important function return codesand arguments (e.g. system, write, open).require explicit file mask when creating new files.



Conclusion


Bypass FORTIFY SOURCE using Format strings

Captain Planet - A Eulogy of Format strings

Uncommon format string : ”%49150u %4849$hn%1$*269158540$x %1$*13996$x %1073741824$d”4-byte NULL write to disable FORTIFY SOURCE :

args type[ ATTACKER OFFSET ] = 0x00000000;



Conclusion


Memory leak in FORTIFY SOURCE

Dan Rosenberg - Fun with FORTIFY SOURCE

An overflow attempt can engender a sensitive memory leak.



Conclusion


Memory leak in FORTIFY SOURCE

A crafted argv[0] is used to read the application’s addressspace



Conclusion


FORTIFY SOURCE in Linux

Integration of FORTIFY SOURCE :

Ubuntu :

Debian Lenny ( 2009 ) - Several security-critical packagesFedora 8 ( 2007 ) - The author of this feature is a redhatdeveloper



Conclusion


Outline





Conclusion


Glibc security checks

Since glibc 2.3.4, ptmalloc2/3 provides different securitychecks:

The ”unlink” patch :



Conclusion


Glibc security checks

The House of Lore patch:

Technics introduced by blackngel require considerable efforts



Conclusion


Protect your heap from heap overflow.

Allocator security designed :

Jemalloc on FreeBSD

Guard Malloc for Mac OS X

DistriNet memory allocator

OpenBSD malloc



Conclusion

Conclusion

Today, userland exploitation on Linux has become much moredifficult than 15 years ago.

That’s why, concepts like ret2libc, ROP, GOT-overwrite-stylememory corruption attacks have been developed.

Under certain conditions it is possible to bypass one or twoprotection(s), but it becomes almost impossible with all theprotections.


Appendix Bibliography

Bibliography I

Aleph. OneSmashing the stack for fun and profitPhrack #49 http://www.phrack.org

blackngel.Malloc Des-MaleficarumPhrack #66 http://www.phrack.org

blackngel.The House Of Lore Reloaded ptmalloc v2 & v3: Analysis &CorruptionPhrack #67 http://www.phrack.org


http://www.phrack.org




Bibliography II

Adam. ZabrockiScraps of notes on remote stack overflow exploitationPhrack #67 http://www.phrack.org

Wolfram. Gloger.ptmalloc2 & ptmalloc3 homepage.http://www.malloc.de/en/

Yves. Younan.dnmalloc homepage.http://www.fort-knox.org/taxonomy/term/3



http://www.malloc.de/en/

http://www.fort-knox.org/taxonomy/term/3


Bibliography III

Jakub. Jelinek.Fortify Source patch.http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

Captain. Planet.A eulogy of format stringPhrack #67 http://www.phrack.org

Dan. Rosenberg.Fun with FORTIFY SOURCEhttp://drosenbe.blogspot.com/2010/04/fun-with-fortifysource.html


http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html


http://drosenbe.blogspot.com/2010/04/fun-with-fortifysource.html

http://drosenbe.blogspot.com/2010/04/fun-with-fortifysource.html


Bibliography IV

Canonical. Ubuntu.Ubuntu Security Featureshttps://wiki.ubuntu.com/Security/Features

Debian. Security DevelopersDebian Hardeninghttp://wiki.debian.org/Hardening

Fedora. Security DevelopersFedora Security Featureshttp://fedoraproject.org/wiki/Security/Features


https://wiki.ubuntu.com/Security/Features

http://wiki.debian.org/Hardening

http://fedoraproject.org/wiki/Security/Features

http://fedoraproject.org/wiki/Security/Features


Bibliography V

Checksec. Trapkitchecksec.shhttp://tk-blog.blogspot.com/2009/02/checksec.html

blog. StalkR19 - Another small bug - PCTFhttp://blog.stalkr.net/2011/04/pctf-2011-19-another-small-bug.html

Emilien. GiraultComprendre le role des sections PLT et GOT dans l’editionde liens dynamiquehttp://www.segmentationfault.fr/linux/role-plt-got-ld-so/


http://tk-blog.blogspot.com/2009/02/checksec.html

http://tk-blog.blogspot.com/2009/02/checksec.html

http://blog.stalkr.net/2011/04/pctf-2011-19-another-small-bug.html

http://blog.stalkr.net/2011/04/pctf-2011-19-another-small-bug.html

http://www.segmentationfault.fr/linux/role-plt-got-ld-so/

http://www.segmentationfault.fr/linux/role-plt-got-ld-so/


Bibliography VI

Relro. TrapkitRELRO - A (not so well known) Memory CorruptionMitigation Techniquehttp://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

blog. xorlLinux GLibC Stack Canary Valueshttp://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/


http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

http://tk-blog.blogspot.com/2009/02/relro-not-so-well-known-memory.html

http://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/

http://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/

Documents

Defeat userland exploits on Linux - ENSIMAGensiwiki.ensimag.fr/.../e/e1/...Defeat_userland_exploits_on_Linux.pdf · Full RELRO running processes on Ubuntu Maverick 10.10: No RELRO