Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations. We have identified a security weakness on the implementation of the ASLR in Linux when the executable is PIE compiled, named offset2lib. A PoC attack is described to illustrate how the offset2lib can be exploited. Our attack bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second. Finally, how the RenewSSP technique can be used as a workaround is discussed and how to remove the offset2lib weakness from the current ASLR implementation is also presented.
[1]
Hovav Shacham,et al.
On the effectiveness of address-space randomization
,
2004,
CCS '04.
[2]
References
,
1971
.
[3]
Ollie Whitehouse.
An Analysis of Address Space Layout Randomization on Windows Vista
,
2007
.
[4]
Lorenzo Martignoni,et al.
Surgically Returning to Randomized lib(c)
,
2009,
2009 Annual Computer Security Applications Conference.
[5]
Steve McConnell,et al.
Code Complete, Second Edition
,
2004
.
[6]
Xuxian Jiang,et al.
On the Expressiveness of Return-into-libc Attacks
,
2011,
RAID.
[7]
Ismael Ripoll,et al.
Preventing Brute Force Attacks Against Stack Canary Protection on Networking Servers
,
2013,
2013 IEEE 12th International Symposium on Network Computing and Applications.
[8]
A. One,et al.
Smashing The Stack For Fun And Profit
,
1996
.
[9]
Hovav Shacham,et al.
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
,
2007,
CCS '07.