[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Offset2lib: bypassing full ASLR on 64bit Linux
- To: full-disclosure@xxxxxxxxxxxxxxxxx, fulldisclosure@xxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx
- Subject: [FD] Offset2lib: bypassing full ASLR on 64bit Linux
- From: Hector Marco <hecmargi@xxxxxx>
- Date: Thu, 04 Dec 2014 21:19:04 +0100
Hi,
This is a disclosure of a weakness of the ASLR Linux implementation.
The problem appears when the executable is PIE compiled and it has an
address leak belonging to the executable. We named this weakness:
offset2lib.
In this scenario, an attacker is able to de-randomize all mmapped
areas (libraries, mapped files, etc.) by knowing only an address
belonging to the application and the offset2lib value.
We have built a PoC which bypasses on a 64 bit Linux system, the three
most widely adopted and effective protection techniques: No-eXecutable
bit (NX), address space layout randomization (ASLR) and stack smashing
protector (SSP). The exploit obtains a remote shell in less than one
second.
We have proposed the ASLRv3 which is a small Linux patch which removes
the offset2lib weakness.
Details of the weakness, steps to exploit the offset2lib weakness, a working
proof of concept exploit, recommendations and a demonstrative video has
been
publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
Hector Marco.
http://cybersecurity.upv.es
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/