fish stiqz wrote:

> On Sat Mar 31 10:47PM 2001, Makoto Iwamura <iwamuraPB.HIGHWAY.NE.JP> wrote:
> > If you implement printf()(fprintf(),syslog(),,,etc.) that doesn't access
> > arguments more than "num" value, you can protect applications from format
> > string attacks. If we will make a new built-in function instead of calling
> > get_number_of_args, you can get the number of arguments with only one
> > statement added.
>
> No, You cannot assume that in order to exploit a format string
> vulnerability an attacker must use more arguments than are specified
> at compile time. You *can* successfully exploit a format string
> vulnerability with the same number of arguments or less.
> Consider the following example: (look similar to splitvt?? ;)

That's a very interesting development. We've been looking for such an example
for some time, but considered it only a theoretical possibility.

The particular straw man and exploit that fis stiqz presents depends on doing a
classical stack smash. Immunix systems are built with both FormatGuard and
StackGuard, so this won't actually work. Can stiqz's example be altered or
generalized so that it does not depend on a buffer overflow? I.e. so that one
can achieve the usual format bug effect of overwriting *arbitrary* program
state, rather than linear adjacent state as in this example?

Thanks,
    Crispin

>
>
> /* fmt.c - format string demo program */
> #include <stdio.h>
> #include <stdlib.h>
>
> char *config_file = "%s/.programrc";
>
> void file(char *conf, char *home)
> {
> char buf[256];
>
> sprintf(buf, config_file, home);
>
> printf("buf: %s\n", buf);
> return;
> }
>
> int main(int argc, char **argv)
> {
> char *home = getenv("HOME");
>
> if(argc == 2)
> {
> config_file = argv[1];
>
> /* make sure we can't overflow it */
> if(strlen(config_file) > 255)
> exit(1);
> }
> else
> {
> /* make sure we can't overflow it */
> if(strlen(home) + strlen(config_file) - 2 > 255)
> exit(1);
> }
> file(config_file, home);
> return 0;
> }
>
> $ gcc -o fmt fmt.c
> $ gdb ./fmt
> (gdb) run %.260xABCD
> Program received signal SIGSEGV, Segmentation fault.
> 0x44434241 in ?? ()
> (gdb) info reg
> eax 0x10e 270
> ecx 0x1 1
> edx 0x80485f6 134514166
> ebx 0x231098 2298008
> esp 0xbffffa0c 0xbffffa0c
> ebp 0x32386666 0x32386666
> esi 0x126484 1205380
> edi 0x2 2
> eip 0x44434241 0x44434241
> ...
>
> I only used one argument to exploit that, if you look closely you'll
> notice it works just like a classical buffer overflow, overwriting the
> return address of the "file" function. Now, if I read this correctly
> your solution would not defend against this. I think a better way to
> solve format string problems is to actually make a parser for it, or
> integrate into the gcc parser itself, (isn't this being done in gcc 3.0?).
>
> - fish stiqz.
>
> --
> fish stiqz <fishanalog.org>
> irc>irl?werd():lame()

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:                http://immunix.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]