Search This Blog

Tuesday, October 11, 2005

[REVS] Smack the Stack - Advanced Buffer Overflow Methods (Virtual Address)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Smack the Stack - Advanced Buffer Overflow Methods (Virtual Address)
------------------------------------------------------------------------

SUMMARY

From time to time, a new patch or security feature is integrated to raise
the bar on buffer overflow exploiting. The paper linked here includes five
creative methods to overcome various stack protection patches, but in
practice focus on the VA (Virtual Address) space randomization patch that
have been integrated to Linux 2.6 kernel. These methods are not limited to
this patch or another, but rather provide a different approach to the
buffer overflow exploiting scheme.

DETAILS

VA Patch:
Causes certain parts of a process virtual address space to be different
for each invocation of the process. The purpose of this is to raise the
bar on buffer overflow exploits. As full randomization makes it not
possible to use absolute addresses in the exploit. Randomizing the stack
pointer and mmap() addresses. Which also effects where shared libraries
goes, among other things. The stack is randomized within an 8Mb range and
applies to ELF binaries. The patch intedned to be an addition to the NX
support that was added to the 2.6 kernel earlier as well. This paper
however addressed it as solo.

The full paper can be downloaded from:
<http://www.tty64.org/doc/smackthestack.txt>
http://www.tty64.org/doc/smackthestack.txt

ADDITIONAL INFORMATION

The information has been provided by <mailto:izik@tty64.org> Izik.
The original article can be found at:
<http://www.tty64.org/doc/smackthestack.txt>
http://www.tty64.org/doc/smackthestack.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)