Professional Documents
Culture Documents
En - Infiltrate 12 - The Stack Is Back - Jon Oberheide
En - Infiltrate 12 - The Stack Is Back - Jon Oberheide
En - Infiltrate 12 - The Stack Is Back - Jon Oberheide
● Heap: ● Stack:
● Complicated ● Easy
● Requires skillz ● Doesn't
● Bad connotation: ● Good connotation:
“heap of trash” “stack of bills”
● The 1%, elitist, ● Saves kittens from
pro-life, racist burning buildings
high address
start of stack
grows down
BUFFER OVERFLOW
unused
end of stack
low address
stack
stack pointer
end of stack
low address
stack pointer
● Stack overflows
● Misuse of terminology
● Jono's definition:
Frame 1
● Incremental
overflows void func() {
func();
Frame 2
● Recursion
Frame 4
end of stack Frame 5
Frame 6
Frame 1
● Allocation
overflows alloca(CRAP_LOAD);
Frame 2
● Large local
stack vars alloca
stack space
● Dynamic allocations:
VLAs, alloca(3) end of stack
1855
FOR0DAY
Android Phone T-Shirt Phone Number
● Exploitable?
● Ehhhh...
unused
● Most commonly 8k, some
distros use 4k
● THREAD_SIZE =
2*PAGE_SIZE = low address
2*4086 = 8192
If we control an incremental or
allocation stack overflow in the Linux
kernel, we can cause our thread's
kernel stack to collide with the
thread_info structure.
thread_info
current_thread_info
● x86_64
● Pretty clean, dedicated interrupt stacks
● x86_32
● Interrupt stack shared with process stack
● Less predictability, but more opportunity to
trigger a stack overflow
● ARM, alpha, others
● restart_block is on end of thread_info :-)
inet_sendmsg
● Attempt #1 sock_sendmsg
● Expand VLA to hit thread_info directly econet_sendmsg
● Overwrite restart_block/addr_limit
with attacker controlled values
● Thwarted! VLA
● Subsequent function calls in sendmsg
will clobber sensitive
restart_block restart_block
thread_info members addr_limit addr_limit
sock_sendmsg
thread_info
end of stack
The Stack is Back – Jon Oberheide Slide #30
Attempt #2
start of stack
udp_sendmsg
inet_sendmsg
● Attempt #2 sock_sendmsg
● Expand VLA to just above thread_info econet_sendmsg
● Overwrite using the stack frames of
subsequent calls (sock_sendmsg)
VLA
● Semi-thwarted!
● Overwrite value is uncontrolled and a
kernel space value so sock_sendmsg
call frames
restart_block restart_block
restart_block is no good addr_limit addr_limit
● What about addr_limit? thread_info
end of stack
The Stack is Back – Jon Oberheide Slide #31
Attempt #2 continued
● We can hit addr_limit with a value that
represents a high kernel space value
● Overwrite of addr_limit occurs in sock_sendmsg call
oldfs = get_fs();
set_fs(KERNEL_DS);
err = sock_sendmsg(udpsock, &udpmsg, size);
set_fs(oldfs);
inet_sendmsg
● Attempt #3 sock_sendmsg
● Blow past thread_info and with VLA econet_sendmsg
and “write-back” towards the end of
the kernel stack if (!access_ok(VERIFY_READ,
base, iov_len)) {
● Overwrite task_struct with an attacker mutex_unlock(&econet_mutex);
return -EFAULT;
controlled address }
1855
FOR0DAY
Android Phone T-Shirt Phone Number
DEMO TIME?
http://jon.oberheide.org/files/half-nelson.c
1855
FOR0DAY
Android Phone T-Shirt Phone Number
● GIVE UP HEAPSTERS!
● Win8 fixed everything, the heap is over
● Stack overflows are exploitable
● At least in the Linux kernel
● How about your favorite OS? Windows/BSD/etc?
● Don't shun “unexploitable” vuln classes
● Other situations? Userspace via browser/js?
● #busticati
● $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/
● ;PpPppPpPpPPPpP
QUESTIONS?
Jon Oberheide
jon@oberheide.org
Duo Security