Security
Address space randomization in 2.6
Arjan van de Ven has posted a series of patches which add some address space randomization to the 2.6 kernel. With these patches applied, each process's stack will begin at a random location, and the beginning of the memory area used for mmap() (which is where shared libraries go, among other things) will be randomized as well. These patches represent an improvement in the kernel's security infrastructure, but the reception on the public lists has been surprisingly hostile.Many buffer overflow exploits, especially those used in large-scale attacks, contain hardcoded addresses. An exploit which overflows a stack variable will place some executable code on the stack; it then overwrites the return pointer so that the broken function "returns" into the exploit code. If you look at a given distribution's shipped version of a vulnerable program, an exploit will always be able to place its payload at the same address on the stack, so it can contain that address directly. If, instead, the exploit author does not know ahead of time where the payload will end up, actually getting the computer to execute that code will be much harder.
That is why the stack randomization patch helps. When the stack location is deterministic, a relatively simple exploit can be made to work on all systems running the vulnerable distribution. If the stack moves, instead, hardcoded addresses no longer work.
Moving the mmap() area has similar benefits. One popular type of exploit prepares the stack and then "returns" into a shared library somewhere. That return can, for example, cause the application to behave as if it had intentionally called system() or a similar library function. Moving the libraries around makes these attacks harder.
One of the biggest complaints that has been raised is that the amount of randomization is insufficient. The patches, as posted, vary the stack base within a 64KB area and the mmap() base within a 1MB range. Alignment requirements prevent just any address from being used with the result that only a relatively small number of possible base addresses exists. So a determined attacker could repeatedly run a hardcoded exploit with some assurance that, within a reasonable amount of time, the stack would land at the right place and the exploit would work. Placing a long series of no-op instructions at the beginning of the payload can also make an exploit more robust when faced with randomization.
Arjan responds that the amount of randomization is not the issue at the moment. He is trying to get the infrastructure into the kernel and tested in a minimally disruptive way; the degree of randomization can be tweaked upward later on. That amount may never get as high as some people would like, at least on 32-bit systems, because it cuts back on the available virtual address space. But it is likely to go up once the developers are convinced that things are working.
In any case, a larger randomness makes the problem harder, but does not change its fundamental nature. With the ability to keep trying, an attacker will eventually get around any degree of randomization possible on 32-bit systems (64-bit systems are a different story). Thus, says Ingo Molnar:
Randomization is not a magic bullet which solves a wide range of security problems. It does make an attack harder, however, and that can only be a good thing.
New vulnerabilities
bind: validator function denial of service
| Package(s): | bind | CVE #(s): | CAN-2005-0034 | ||||
| Created: | January 27, 2005 | Updated: | February 1, 2005 | ||||
| Description: | A vulnerability was discovered in BIND version 9.3.0, an incorrect assumption in the validator function can be exploited by a remote attacker to cause named to exit prematurely. | ||||||
| Alerts: |
| ||||||
ClamAV: multiple issues
| Package(s): | clamav | CVE #(s): | CAN-2005-0133 | ||||||||||||
| Created: | January 31, 2005 | Updated: | March 3, 2005 | ||||||||||||
| Description: | ClamAV fails to properly scan ZIP files with special headers and base64 encoded images in URLs. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cpio - file permissions error
| Package(s): | cpio | CVE #(s): | CAN-1999-1572 | ||||||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||||||
| Description: | Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
f2c: insecure temp files
| Package(s): | f2c | CVE #(s): | CAN-2005-0017 CAN-2005-0018 | ||||||||||||
| Created: | January 27, 2005 | Updated: | April 20, 2005 | ||||||||||||
| Description: | The f2c fortran to C translator has a vulnerability due to insecure opening of temporary files. A local attacker can use this to launch a symlink attack. | ||||||||||||||
| Alerts: |
| ||||||||||||||
FireHOL: insecure temporary file creation
| Package(s): | FireHOL | CVE #(s): | |||||
| Created: | February 1, 2005 | Updated: | February 1, 2005 | ||||
| Description: | FireHOL insecurely creates temporary files with predictable names. A local attacker could create malicious symbolic links to arbitrary system files. When FireHOL is executed, this could lead to these files being overwritten with the rights of the user launching FireHOL, usually the root user. | ||||||
| Alerts: |
| ||||||
Gallery: cross-site scripting vulnerability
| Package(s): | gallery | CVE #(s): | |||||||||
| Created: | January 31, 2005 | Updated: | February 10, 2005 | ||||||||
| Description: | Rafel Ivgi has discovered a cross-site scripting vulnerability where the 'username' parameter is not properly sanitized in 'login.php'. See this Gallery announcement for the release of 1.4.4-pl5 for more information. | ||||||||||
| Alerts: |
| ||||||||||
ncpfs: multiple vulnerabilities
| Package(s): | ncpfs | CVE #(s): | CAN-2005-0013 CAN-2005-0014 | ||||||||||||||||||||
| Created: | January 31, 2005 | Updated: | May 15, 2006 | ||||||||||||||||||||
| Description: | Erik Sjolund discovered two vulnerabilities in the programs bundled with ncpfs: there is a potentially exploitable buffer overflow in ncplogin (CAN-2005-0014), and due to a flaw in nwclient.c, utilities using the NetWare client functions insecurely access files with elevated privileges (CAN-2005-0013). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
ngIRCd: buffer overflow
| Package(s): | ngIRCd | CVE #(s): | |||||
| Created: | January 28, 2005 | Updated: | February 1, 2005 | ||||
| Description: | Florian Westphal discovered a buffer overflow caused by an integer underflow in the Lists_MakeMask() function of lists.c. See the ngIRCd 0.8.2 release announcement for more information. | ||||||
| Alerts: |
| ||||||
openswan: stack based buffer overflow
| Package(s): | openswan | CVE #(s): | CAN-2005-0162 | ||||
| Created: | January 28, 2005 | Updated: | February 1, 2005 | ||||
| Description: | A stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. | ||||||
| Alerts: |
| ||||||
perl: setuid vulnerabilities
| Package(s): | perl | CVE #(s): | CAN-2005-0155 CAN-2005-0156 | ||||||||||||||||||||||||||||||||
| Created: | February 2, 2005 | Updated: | August 11, 2006 | ||||||||||||||||||||||||||||||||
| Description: | There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
postgresql: privilege escalation via LOAD
| Package(s): | postgresql | CVE #(s): | CAN-2005-0227 | ||||||||||||||||
| Created: | February 1, 2005 | Updated: | February 7, 2005 | ||||||||||||||||
| Description: | John Heasman has discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialization function was then executed with the permissions of the server. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
SquirrelMail: multiple vulnerabilities
| Package(s): | squirrelmail | CVE #(s): | CAN-2005-0075 CAN-2005-0103 CAN-2005-0104 | ||||||||||||||||||||||||||||||||
| Created: | January 28, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||||||||||
| Description: | SquirrelMail 1.4.4 has been released, fixing a number of security issues that have been resolved since 1.4.3a. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
uw-imap: authentication bypass
| Package(s): | uw-imap imap | CVE #(s): | CAN-2005-0198 | ||||||||||||||||
| Created: | February 2, 2005 | Updated: | March 1, 2005 | ||||||||||||||||
| Description: | The uw-imap package, prior to version 2004b, contains a vulnerability which can enable a remote attacker to bypass the authentication mechanism. This bug only affects CRAM-MD5 authentication, which is not enabled on all distributions. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>