TUCoPS :: BSD :: libc-l.txt

Increasing overall Security (in BSD) 

From carrier.kiev.ua!sita!news.tav.kiev.ua!mailgate Sun Feb  9 19:38:10 1997
Newsgroups: tav.freebsd.hackers
Path: carrier.kiev.ua!sita!news.tav.kiev.ua!mailgate
From: Alexander Snarskii <snar@lucky.net>
Message-ID: <199702091525.RAA05048@burka.carrier.kiev.ua>
Subject: Increasing overall security....
To: freebsd-hackers@freebsd.org
Date: Sun, 9 Feb 1997 17:25:43 +0200 (EET)
Content-type: text/plain; charset=koi8-r
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk
Lines: 222



I want to contribute patch to libc to made FreeBSD unexploitable
with standard 'stack overflow' attacks.

All i wanted, is to made my FreeBSD-based host as secure as possible.
And i havent found no such man as Theo de Raadt in FreeBSD project,
so the source tree still contains some exploitable 'stack overflow'
security holes. Most of which is based on using some 'insecure'
functions like 'strcpy', 'sprintf' and so in setuid programs. 

'Why don't rewrite that functions to check the stack integrity
before return?' says Oleg Panaschenko sometimes ago, and after
some reflections i found that that is not so bad idea. Yes, we're
getting some overhead with using these functions rather than
with standard ones, but, as for me, this overhead is not so big
and a reason, that i can sleep without nightmares about another
stack overflow exploits is much important for me.

Well, that is not panacea, though. I still will have problems 
with other variants of security holes ( with creating temporary files,
for example ).

I apologise, that i used libc from 2.1.5-RELEASE for make that patch,
but i have no free computer for run -current. I tested it with -current
libc and it applied well.

IDEA NOTES: 
There are two new functions: checkframe__(char* a,char* b), which
checks that we have no stack frames (generated by call _func)
in memory region [a,b], and insane__(char* function-name,char* buffer),
which are just performs kill(SIGSEGV,getpid()) (because program
will got this signal while 'ret' to junk address in stack anyway
but exploited) and after exit(1) (for cases like signal(SIG_SEGV,SIG_IGN) 
:) ). And most functions, which can be used for stack exploiting,
patched to check the changed memory region to avoid stack violation. 
These functions are: strcpy,strcat,sprintf ( well, 90% of such exploits
used it ), gets (historical reasons :) ) and memcpy (some things, like
scanf and so uses it).

INSTALLATION NOTES:
there are not just patch to existing functions, there are three
new files to libc, which are attached as uuencoded .tgz to this
letter. You need to extract it with `pwd`=/usr/src/lib .
You also need to 
cd /usr/src/lib/libc/i386/string/
mv strcpy.S strcpy.S.orig
mv strcat.S strcat.S.orig
( or just remove these files )

Sorry for my english.


diff -r -c libc-old/i386/string/Makefile.inc libc/i386/string/Makefile.inc
*** libc-old/i386/string/Makefile.inc	Mon Jan 23 03:28:45 1995
--- libc/i386/string/Makefile.inc	Tue Feb  4 18:13:03 1997
***************
*** 3,8 ****
  
  SRCS+=	bcmp.S bcopy.S bzero.S ffs.S index.S memchr.S memcmp.S \
  	memmove.S memset.S \
! 	rindex.S strcat.S strchr.S strcmp.S strcpy.S strcspn.c \
  	strlen.S strncat.c strncmp.S strncpy.c strpbrk.c strsep.c \
! 	strspn.c strrchr.S strstr.c swab.S
--- 3,8 ----
  
  SRCS+=	bcmp.S bcopy.S bzero.S ffs.S index.S memchr.S memcmp.S \
  	memmove.S memset.S \
! 	rindex.S strchr.S strcmp.S strcspn.c \
  	strlen.S strncat.c strncmp.S strncpy.c strpbrk.c strsep.c \
! 	strspn.c strrchr.S strstr.c swab.S checkframe.S insane.c
diff -r -c libc-old/i386/string/memmove.S libc/i386/string/memmove.S
*** libc-old/i386/string/memmove.S	Wed Jun  5 05:47:35 1996
--- libc/i386/string/memmove.S	Sat Feb  8 22:16:28 1997
***************
*** 46,53 ****
  	 * (ov)bcopy (src,dst,cnt)
  	 *  ws@tools.de     (Wolfgang Solfrank, TooLs GmbH) +49-228-985800
  	 */
! 
  ALTENTRY(memcpy)
  ENTRY(memmove)
  	pushl	%esi
  	pushl	%edi
--- 46,54 ----
  	 * (ov)bcopy (src,dst,cnt)
  	 *  ws@tools.de     (Wolfgang Solfrank, TooLs GmbH) +49-228-985800
  	 */
! /*
  ALTENTRY(memcpy)
+ */
  ENTRY(memmove)
  	pushl	%esi
  	pushl	%edi
diff -r -c libc-old/stdio/gets.c libc/stdio/gets.c
*** libc-old/stdio/gets.c	Wed Jun  5 05:49:43 1996
--- libc/stdio/gets.c	Sun Feb  9 17:05:33 1997
***************
*** 64,68 ****
--- 64,69 ----
  		else
  			*s++ = c;
  	*s = 0;
+ 	if(checkframe__(buf,s)) insane__((char*)"gets",buf);
  	return (buf);
  }
diff -r -c libc-old/stdio/sprintf.c libc/stdio/sprintf.c
*** libc-old/stdio/sprintf.c	Wed Jun  5 05:49:52 1996
--- libc/stdio/sprintf.c	Sun Feb  9 14:42:52 1997
***************
*** 71,75 ****
--- 71,76 ----
  	ret = vfprintf(&f, fmt, ap);
  	va_end(ap);
  	*f._p = 0;
+ 	if(checkframe__(str,f._p)) insane__((char*)"sprintf",str);
  	return (ret);
  }
diff -r -c libc-old/string/Makefile.inc libc/string/Makefile.inc
*** libc-old/string/Makefile.inc	Wed Jun  5 05:50:30 1996
--- libc/string/Makefile.inc	Sat Feb  8 22:15:28 1997
***************
*** 5,11 ****
  CFLAGS += -I${.CURDIR}/locale
  # machine-independent string sources
  SRCS+=	memccpy.c strcasecmp.c strcoll.c strdup.c strerror.c \
! 	strmode.c strtok.c strxfrm.c
  
  # machine-dependent string sources
  .include "${.CURDIR}/${MACHINE}/string/Makefile.inc"
--- 5,11 ----
  CFLAGS += -I${.CURDIR}/locale
  # machine-independent string sources
  SRCS+=	memccpy.c strcasecmp.c strcoll.c strdup.c strerror.c \
! 	strmode.c strtok.c strxfrm.c strcpy.c strcat.c memcpy.c
  
  # machine-dependent string sources
  .include "${.CURDIR}/${MACHINE}/string/Makefile.inc"
diff -r -c libc-old/string/strcat.c libc/string/strcat.c
*** libc-old/string/strcat.c	Fri May 27 07:57:55 1994
--- libc/string/strcat.c	Sat Feb  8 21:53:58 1997
***************
*** 43,50 ****
--- 43,52 ----
  	register const char *append;
  {
  	char *save = s;
+ 	char *funct="strcat";
  
  	for (; *s; ++s);
  	while (*s++ = *append++);
+ 	if(checkframe__(save,s)) insane__(funct,save);
  	return(save);
  }
diff -r -c libc-old/string/strcpy.c libc/string/strcpy.c
*** libc-old/string/strcpy.c	Fri May 27 07:57:55 1994
--- libc/string/strcpy.c	Sat Feb  8 21:54:40 1997
***************
*** 44,50 ****
--- 44,52 ----
  	register const char *from;
  {
  	char *save = to;
+ 	char *func="strcpy";
  
  	for (; *to = *from; ++from, ++to);
+ 	if(checkframe__(save,to)) insane__(func, save);
  	return(save);
  }


begin 644 tarball.tgz
M'XL(`````````^U9;7/;-A+.5^E7[#E-*]JT7FS'L>,X$YJB;=[0HHZD['HZ
M'9<F(0D516@(2K::ZW^_75!O?FGSH;[<7"K,)`*QBV=W'P#+)9SPVZ@F\XRG
MO=J0#:/1M!J]>N'6J-?W]_;@%5"K/_H%V-O;WP'8WWGWKK'?P'\`C=W&V_U7
M4']I1YYK8YF'&<"K3(C\S_3N^HPE7\.AK]MJFV78!%.,IAGO]7.H1!HT#@\.
M=/S_<!=EI:#/P&,]EN821!=R?.RD?,(RR?,IC9AAPKLB2WE8!3"2!!22A(Q)
MEDU87$44,N*QF--.NQWG7*00IC&,)0.>@A3C+&)JY):G838%Q!M*'>YXW@>1
MJ5\QS@EE*&+>Y5%(&#J$&8,1RX8\SUD,HTQ,>(R=O!_FRM.N2!)QAYL;(I'&
MG"9)0J%Y0Y:_IWZC^L@U%>?,ITC$J(F;!,/)0_254,-;,2'1C#0"P9:*G$=,
M1PTN(4$\@EF:5>$]]`F-1DG(ARPCCF#GJ2-H<(61N2,89SQ&Y_X[OD`1Y0PI
M%M%XB(L?SA>MANLA4)[!,,Q9QL-$+HE7"T;`JV&HX':K:F^$,>Z<G$LRN9Q/
M!E"1!KLLS,>X=6C9:7NH+8=!2-'-[W#99FXI)M#(*`FGCR()HT$J[A(6]QCA
MOB\V,5=>(FTYQA<EXY@M,2%F$Y:($09P.WVZPPE@N<EU.&'9@"5LJECDN-.1
MV")8D4D5[%X56HPKD@@M#8?LF;.3BJ58[;G'6/-8,<1;1FS@H@E@:8PR1@1A
M1$.1LWED$@/)$#Z&+@J>Y6UVDD".6$3G"*=R.F`9G:"T.$M2SA:-Y@3GM@^^
M>QI<&9X%V&][[J7=M)IP<HU""SSKS&H%/ABM)IAN*_#LDT[@>C[\\HOAXX0?
M?B`101FM:[!^;'N6[X/K@7W1=FS$06#/:`6VY>M@MTRGT[1;9\AR)X"6&X!C
M7]@!J@6N3O8(Z.E,<$_APO+,<WPT3FS'#JZ50Z=VT")SIVC/@+;A!;;9<0P/
MVAVO[?H*C>)JVK[I&/:%U<0<9K?0,%B7&!;XYX;C/(@3D1Z$>6*AB\:)H["4
M'0RS:7N6&5`\RYZ)K*%WC@Y^VS)MZE@_6AB*X5WK,UC?^E<'E5!(:$WCPCC#
MX"I?H`67Q.QXU@4YC$3XG1,_L(-.8,&9ZS9]@D)XW_(N;=/RC\!Q?<58Q[=T
M-!(8RCRB(%THQOY)Q[<5<78KL#ROTPYLMZ41T+E[A<R@LP;.;BJ2W9:*&4ER
MO6O")3[4&NAP=6[AN$><*M8,XL)']LR`T%8TT2KR&:P$"RWKS+&1==,BJ4M`
M5[9O:;ADMD\*=F'YRKA6,794^+18Z%O17=F\NEI2L$_!:%[:Y/Q,&3>";\\V
MC7M*2'['/)^Q3^>@5BZ_YET\7%V>LKCBV"?FC6^:O@;??P__F`\G/,VULJ1,
M&4'4QZI"1I'D\4\_PS%L?*J\UC`EJ@*K=%!M0&6>1C38K^W5#G<WCLJO\6RC
MH1H1,[.AD@RF<R#XF2M%_H(/<BIK$9J7U?['U6%5SM%8>2)XC.>XJ.PJN=!5
M9M`A8:E6+F6LAVD:DY3R=C,71ZMC^)[(9Q*:A#+)?V,W.4T^*G\NETBV"3*<
ML&,UM7CNCM/H>*.PB"&5>+<2]5DTZ&:8YFYNR(E<;"'&=D/3,!?+,*5AFH8"
M[:BLIJ#:1[*J*,:'#_1`LW#.9RB72HAQK!PIE91H_G#7YPFK$/RV1B%M;Q\K
M][>W4?H[L`0SYV>`9S2WM@K-K2W2)";P1916*L3AID9AHG._E__7%=O+MH3J
M?[Y[L#__"%BN5=5_(1M?JO_K;_>+^G_W;;VQ1_7_WMY.8UW_?XWVI/XWJ?X_
M?$<UCY&P>\P^6!_Y6(+*`>>86[#W*1E'@VDU9?G'=<6_KOC_I.+_HR(X'./J
M9D\+X#"=HL_;_U<U\#.GY%LNA7^:XC%1*_;SNA3^^Y7"136\4H1N-*U3O]K?
M6!GQK]4`+H%W_:#VPY)S-);]!-ZPVU&Y-!23HJN_8>']XEG2,\D7NO?+?K34
M"^_U0J:>#RHT25N%:NPLQFA:-!PIL)G*KSV&^>D^/R7?'DBCF=29<)%@QHO+
M"[WW,^@Z(=]K,P?D^#:![^JSIU]_PUTU^"OV=O`9Q4MMQ)M;5F84'FHXC?)R
MTD)CYP\T%@J-APJE:ICP7@H[>OW^L%YV&J@X$J,YW0G#TE>5P]]8[;MNS]3_
MQ0?9B_X1X(OU_VYC4?_7=][2_?]^8W==_W^-]I?K?U)T$]:#=IB&$K-].A#P
MH<^2WJ<\G%0'G$VJXW#]H;#^4/B[?RBL5L[K+X3U%\(W_86PO(T>IWC>XT<W
MU%ANALGC6^N8BT=#4YF(WL.Q29B%64_=>-<VX9^4]08<WRR4'O!D1TRJU!B%
MQ=\.\>T>#4!]?T@H"F%U7M%'NM<M+^Z?EY?7Q>M#W?K"2/`4,YE6ICMG,6(I
M^E/9*"9MZ(Y[=M-J6HYQ_6_JMG'Q7:_HVDWU2[M4J2''GD97Z"JD"@T9CN4%
M^H:O/%RX5N3)N1_P1D)%>0]O1MJ&OO!O[AA=NR=",@)5=^=$1L6WSWSK[%+O
ML7S$XXI&:LA6)\U8&/7Y;8+Y'TD:"KKA1Z8DK5F)W?.\TM#@"+ZY:^YU6[=U
/6[=U>]3^`W%P;-0`*```
`
end
-- 
Alexander Snarskii
the source code is included.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH