|
From carrier.kiev.ua!sita!news.tav.kiev.ua!mailgate Sun Feb 9 19:38:10 1997 Newsgroups: tav.freebsd.hackers Path: carrier.kiev.ua!sita!news.tav.kiev.ua!mailgate From: Alexander Snarskii <snar@lucky.net> Message-ID: <199702091525.RAA05048@burka.carrier.kiev.ua> Subject: Increasing overall security.... To: freebsd-hackers@freebsd.org Date: Sun, 9 Feb 1997 17:25:43 +0200 (EET) Content-type: text/plain; charset=koi8-r X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Lines: 222 I want to contribute patch to libc to made FreeBSD unexploitable with standard 'stack overflow' attacks. All i wanted, is to made my FreeBSD-based host as secure as possible. And i havent found no such man as Theo de Raadt in FreeBSD project, so the source tree still contains some exploitable 'stack overflow' security holes. Most of which is based on using some 'insecure' functions like 'strcpy', 'sprintf' and so in setuid programs. 'Why don't rewrite that functions to check the stack integrity before return?' says Oleg Panaschenko sometimes ago, and after some reflections i found that that is not so bad idea. Yes, we're getting some overhead with using these functions rather than with standard ones, but, as for me, this overhead is not so big and a reason, that i can sleep without nightmares about another stack overflow exploits is much important for me. Well, that is not panacea, though. I still will have problems with other variants of security holes ( with creating temporary files, for example ). I apologise, that i used libc from 2.1.5-RELEASE for make that patch, but i have no free computer for run -current. I tested it with -current libc and it applied well. IDEA NOTES: There are two new functions: checkframe__(char* a,char* b), which checks that we have no stack frames (generated by call _func) in memory region [a,b], and insane__(char* function-name,char* buffer), which are just performs kill(SIGSEGV,getpid()) (because program will got this signal while 'ret' to junk address in stack anyway but exploited) and after exit(1) (for cases like signal(SIG_SEGV,SIG_IGN) :) ). And most functions, which can be used for stack exploiting, patched to check the changed memory region to avoid stack violation. These functions are: strcpy,strcat,sprintf ( well, 90% of such exploits used it ), gets (historical reasons :) ) and memcpy (some things, like scanf and so uses it). INSTALLATION NOTES: there are not just patch to existing functions, there are three new files to libc, which are attached as uuencoded .tgz to this letter. You need to extract it with `pwd`=/usr/src/lib . You also need to cd /usr/src/lib/libc/i386/string/ mv strcpy.S strcpy.S.orig mv strcat.S strcat.S.orig ( or just remove these files ) Sorry for my english. diff -r -c libc-old/i386/string/Makefile.inc libc/i386/string/Makefile.inc *** libc-old/i386/string/Makefile.inc Mon Jan 23 03:28:45 1995 --- libc/i386/string/Makefile.inc Tue Feb 4 18:13:03 1997 *************** *** 3,8 **** SRCS+= bcmp.S bcopy.S bzero.S ffs.S index.S memchr.S memcmp.S \ memmove.S memset.S \ ! rindex.S strcat.S strchr.S strcmp.S strcpy.S strcspn.c \ strlen.S strncat.c strncmp.S strncpy.c strpbrk.c strsep.c \ ! strspn.c strrchr.S strstr.c swab.S --- 3,8 ---- SRCS+= bcmp.S bcopy.S bzero.S ffs.S index.S memchr.S memcmp.S \ memmove.S memset.S \ ! rindex.S strchr.S strcmp.S strcspn.c \ strlen.S strncat.c strncmp.S strncpy.c strpbrk.c strsep.c \ ! strspn.c strrchr.S strstr.c swab.S checkframe.S insane.c diff -r -c libc-old/i386/string/memmove.S libc/i386/string/memmove.S *** libc-old/i386/string/memmove.S Wed Jun 5 05:47:35 1996 --- libc/i386/string/memmove.S Sat Feb 8 22:16:28 1997 *************** *** 46,53 **** * (ov)bcopy (src,dst,cnt) * ws@tools.de (Wolfgang Solfrank, TooLs GmbH) +49-228-985800 */ ! ALTENTRY(memcpy) ENTRY(memmove) pushl %esi pushl %edi --- 46,54 ---- * (ov)bcopy (src,dst,cnt) * ws@tools.de (Wolfgang Solfrank, TooLs GmbH) +49-228-985800 */ ! /* ALTENTRY(memcpy) + */ ENTRY(memmove) pushl %esi pushl %edi diff -r -c libc-old/stdio/gets.c libc/stdio/gets.c *** libc-old/stdio/gets.c Wed Jun 5 05:49:43 1996 --- libc/stdio/gets.c Sun Feb 9 17:05:33 1997 *************** *** 64,68 **** --- 64,69 ---- else *s++ = c; *s = 0; + if(checkframe__(buf,s)) insane__((char*)"gets",buf); return (buf); } diff -r -c libc-old/stdio/sprintf.c libc/stdio/sprintf.c *** libc-old/stdio/sprintf.c Wed Jun 5 05:49:52 1996 --- libc/stdio/sprintf.c Sun Feb 9 14:42:52 1997 *************** *** 71,75 **** --- 71,76 ---- ret = vfprintf(&f, fmt, ap); va_end(ap); *f._p = 0; + if(checkframe__(str,f._p)) insane__((char*)"sprintf",str); return (ret); } diff -r -c libc-old/string/Makefile.inc libc/string/Makefile.inc *** libc-old/string/Makefile.inc Wed Jun 5 05:50:30 1996 --- libc/string/Makefile.inc Sat Feb 8 22:15:28 1997 *************** *** 5,11 **** CFLAGS += -I${.CURDIR}/locale # machine-independent string sources SRCS+= memccpy.c strcasecmp.c strcoll.c strdup.c strerror.c \ ! strmode.c strtok.c strxfrm.c # machine-dependent string sources .include "${.CURDIR}/${MACHINE}/string/Makefile.inc" --- 5,11 ---- CFLAGS += -I${.CURDIR}/locale # machine-independent string sources SRCS+= memccpy.c strcasecmp.c strcoll.c strdup.c strerror.c \ ! strmode.c strtok.c strxfrm.c strcpy.c strcat.c memcpy.c # machine-dependent string sources .include "${.CURDIR}/${MACHINE}/string/Makefile.inc" diff -r -c libc-old/string/strcat.c libc/string/strcat.c *** libc-old/string/strcat.c Fri May 27 07:57:55 1994 --- libc/string/strcat.c Sat Feb 8 21:53:58 1997 *************** *** 43,50 **** --- 43,52 ---- register const char *append; { char *save = s; + char *funct="strcat"; for (; *s; ++s); while (*s++ = *append++); + if(checkframe__(save,s)) insane__(funct,save); return(save); } diff -r -c libc-old/string/strcpy.c libc/string/strcpy.c *** libc-old/string/strcpy.c Fri May 27 07:57:55 1994 --- libc/string/strcpy.c Sat Feb 8 21:54:40 1997 *************** *** 44,50 **** --- 44,52 ---- register const char *from; { char *save = to; + char *func="strcpy"; for (; *to = *from; ++from, ++to); + if(checkframe__(save,to)) insane__(func, save); return(save); } begin 644 tarball.tgz M'XL(`````````^U9;7/;-A+.5^E7[#E-*]JT7FS'L>,X$YJB;=[0HHZD['HZ M'9<F(0D516@(2K::ZW^_75!O?FGSH;[<7"K,)`*QBV=W'P#+)9SPVZ@F\XRG MO=J0#:/1M!J]>N'6J-?W]_;@%5"K/_H%V-O;WP'8WWGWKK'?P'\`C=W&V_U7 M4']I1YYK8YF'&<"K3(C\S_3N^HPE7\.AK]MJFV78!%.,IAGO]7.H1!HT#@\. M=/S_<!=EI:#/P&,]EN821!=R?.RD?,(RR?,IC9AAPKLB2WE8!3"2!!22A(Q) MEDU87$44,N*QF--.NQWG7*00IC&,)0.>@A3C+&)JY):G838%Q!M*'>YXW@>1 MJ5\QS@EE*&+>Y5%(&#J$&8,1RX8\SUD,HTQ,>(R=O!_FRM.N2!)QAYL;(I'& MG"9)0J%Y0Y:_IWZC^L@U%>?,ITC$J(F;!,/)0_254,-;,2'1C#0"P9:*G$=, M1PTN(4$\@EF:5>$]]`F-1DG(ARPCCF#GJ2-H<(61N2,89SQ&Y_X[OD`1Y0PI M%M%XB(L?SA>MANLA4)[!,,Q9QL-$+HE7"T;`JV&HX':K:F^$,>Z<G$LRN9Q/ M!E"1!KLLS,>X=6C9:7NH+8=!2-'-[W#99FXI)M#(*`FGCR()HT$J[A(6]QCA MOB\V,5=>(FTYQA<EXY@M,2%F$Y:($09P.WVZPPE@N<EU.&'9@"5LJECDN-.1 MV")8D4D5[%X56HPKD@@M#8?LF;.3BJ58[;G'6/-8,<1;1FS@H@E@:8PR1@1A M1$.1LWED$@/)$#Z&+@J>Y6UVDD".6$3G"*=R.F`9G:"T.$M2SA:-Y@3GM@^^ M>QI<&9X%V&][[J7=M)IP<HU""SSKS&H%/ABM)IAN*_#LDT[@>C[\\HOAXX0? M?B`101FM:[!^;'N6[X/K@7W1=FS$06#/:`6VY>M@MTRGT[1;9\AR)X"6&X!C M7]@!J@6N3O8(Z.E,<$_APO+,<WPT3FS'#JZ50Z=VT")SIVC/@+;A!;;9<0P/ MVAVO[?H*C>)JVK[I&/:%U<0<9K?0,%B7&!;XYX;C/(@3D1Z$>6*AB\:)H["4 M'0RS:7N6&5`\RYZ)K*%WC@Y^VS)MZE@_6AB*X5WK,UC?^E<'E5!(:$WCPCC# MX"I?H`67Q.QXU@4YC$3XG1,_L(-.8,&9ZS9]@D)XW_(N;=/RC\!Q?<58Q[=T M-!(8RCRB(%THQOY)Q[<5<78KL#ROTPYLMZ41T+E[A<R@LP;.;BJ2W9:*&4ER MO6O")3[4&NAP=6[AN$><*M8,XL)']LR`T%8TT2KR&:P$"RWKS+&1==,BJ4M` M5[9O:;ADMD\*=F'YRKA6,794^+18Z%O17=F\NEI2L$_!:%[:Y/Q,&3>";\\V MC7M*2'['/)^Q3^>@5BZ_YET\7%V>LKCBV"?FC6^:O@;??P__F`\G/,VULJ1, M&4'4QZI"1I'D\4\_PS%L?*J\UC`EJ@*K=%!M0&6>1C38K^W5#G<WCLJO\6RC MH1H1,[.AD@RF<R#XF2M%_H(/<BIK$9J7U?['U6%5SM%8>2)XC.>XJ.PJN=!5 M9M`A8:E6+F6LAVD:DY3R=C,71ZMC^)[(9Q*:A#+)?V,W.4T^*G\NETBV"3*< ML&,UM7CNCM/H>*.PB"&5>+<2]5DTZ&:8YFYNR(E<;"'&=D/3,!?+,*5AFH8" M[:BLIJ#:1[*J*,:'#_1`LW#.9RB72HAQK!PIE91H_G#7YPFK$/RV1B%M;Q\K M][>W4?H[L`0SYV>`9S2WM@K-K2W2)";P1916*L3AID9AHG._E__7%=O+MH3J M?[Y[L#__"%BN5=5_(1M?JO_K;_>+^G_W;;VQ1_7_WMY.8UW_?XWVI/XWJ?X_ M?$<UCY&P>\P^6!_Y6(+*`>>86[#W*1E'@VDU9?G'=<6_KOC_I.+_HR(X'./J M9D\+X#"=HL_;_U<U\#.GY%LNA7^:XC%1*_;SNA3^^Y7"136\4H1N-*U3O]K? M6!GQK]4`+H%W_:#VPY)S-);]!-ZPVU&Y-!23HJN_8>']XEG2,\D7NO?+?K34 M"^_U0J:>#RHT25N%:NPLQFA:-!PIL)G*KSV&^>D^/R7?'DBCF=29<)%@QHO+ M"[WW,^@Z(=]K,P?D^#:![^JSIU]_PUTU^"OV=O`9Q4MMQ)M;5F84'FHXC?)R MTD)CYP\T%@J-APJE:ICP7@H[>OW^L%YV&J@X$J,YW0G#TE>5P]]8[;MNS]3_ MQ0?9B_X1X(OU_VYC4?_7=][2_?]^8W==_W^-]I?K?U)T$]:#=IB&$K-].A#P MH<^2WJ<\G%0'G$VJXW#]H;#^4/B[?RBL5L[K+X3U%\(W_86PO(T>IWC>XT<W MU%ANALGC6^N8BT=#4YF(WL.Q29B%64_=>-<VX9^4]08<WRR4'O!D1TRJU!B% MQ=\.\>T>#4!]?T@H"F%U7M%'NM<M+^Z?EY?7Q>M#W?K"2/`4,YE6ICMG,6(I M^E/9*"9MZ(Y[=M-J6HYQ_6_JMG'Q7:_HVDWU2[M4J2''GD97Z"JD"@T9CN4% M^H:O/%RX5N3)N1_P1D)%>0]O1MJ&OO!O[AA=NR=",@)5=^=$1L6WSWSK[%+O ML7S$XXI&:LA6)\U8&/7Y;8+Y'TD:"KKA1Z8DK5F)W?.\TM#@"+ZY:^YU6[=U /6[=U>]3^`W%P;-0`*``` ` end -- Alexander Snarskii the source code is included.