Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: [ANNOUNCE] glibc heap protection patch
From: "Eugene Tsyrklevich" <eugene () securityarchitects com>
Date: Tue, 2 Dec 2003 03:27:52 -0800 (PST)
Hello,

Your heap protection scheme is based on checking the validity of the chunk
structure magic value that is calculated as

(chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size)

I believe that "chunk" and "(chunk)->size" can be considered to be known
to attackers and thus contain no entropy. Thus the security of your scheme
is based on the randomness of the "__heap_magic" value which is calculated
as

+#ifdef __HEAP_PROTECTION

[snip]

+  srand(time(NULL));
+  *__heap_magic = rand();

[snip]

+  if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ))
+    fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n");
+#endif /* __HEAP_PROTECTION */


With such a poor random number generator you only raise a bar slightly
higher whereby attackers have to predict your "random" canary in their
exploits.

Also, since you initialize "__heap_magic" once per process, an attacker
might be able to use nmap to determine the uptime of the victim machine
which will quite precisely determine when a process was started (a valid
assumption for daemon processes).

cheers,
eugene



Hi all,

I'd just like to announce that we have a heap protection system for

glibc available for download. The system detects and prevents all heap
overflow exploits that modify inline control information from

succeeding against a protected application, can be installed
system-wide or on a per-process basis using LD_PRELOAD, and is
transparent to existing applications.

We would definitely appreciate any feedback and bug reports on the code.

The patch and some additional information is available at:


http://www.cs.ucsb.edu/~wkr/projects/heap_protection/

Enjoy!

--
William Robertson
Reliable Software Group, UC Santa Barbara
http://www.cs.ucsb.edu/~wkr/





---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]