Linux ASLR Vulnerability: An attacker can disable ASLR indefinitely

　　

Recently, security personnel fixed an older vulnerability in Linux ASLR that would disable ASLR by setting the Rlimit_stack resource to "unlimited", with any user with 32-bit application permissions on the x86 device.

The vulnerability CVE number is CVE-2016-3672,CNNVD number cnnvd-201604-092.

2cto Small Science:

ASLR) is a buffer overflow security protection technology, through the heap, stack, shared library mapping and other linear zone layout randomization, by increasing the difficulty of the attacker to predict the destination address, to prevent the attacker to directly locate the location of the attack code, to prevent overflow attacks of a technology.

Detection

Users can check if their systems are affected by performing the following steps:

1. Create an empty project that shows the memory map:

?

1

2

3

4

5

6

7

8

#include

int main (int argc, const char *argv[])

{

Char cmd[256];

sprintf (cmd, "Cat/proc/%d/maps", Getpid ());

System (CMD);

return 0;

}

2. Compile the program:

$ gcc show_maps.c-o show_maps # in a i386 machine

$ gcc show_maps.c-o show_maps-m32 # in a 64-bit machine

3. Run the program to check if ASLR is working:

?

1

2

3

4

5

6

7

8

9

10

11

$ for I in ' seq 1 10 '; Do./show_maps | grep "R-XP.*LIBC"; Done

f75c4000-f7769000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f75db000-f7780000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f7557000-f76fc000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f7595000-f773a000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f7574000-f7719000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f75af000-f7754000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f7530000-f76d5000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f7529000-f76ce000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f75c2000-f7767000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

f75fe000-f77a3000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

If the ibc-2.19.so library file is mapped to a random location, it indicates that ASLR is working correctly.

Then set the Rlimit_stack stack to "unrestricted" to run the same detection:

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

$ ulimit-a | grep stack

Stack size (Kbytes,-s) 8192

$ ulimit-s Unlimited

Stack size (Kbytes,-s) unlimited

$ for I in ' seq 1 10 '; Do./show_maps | grep "R-XP.*LIBC"; Done

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

5559a000-5573f000 R-xp 00000000 08:01 784726/lib32/libc-2.19.so

The libc-2.19.so library file is mapped to the same location, stating that ASLR is disabled.

This is an old way to disable ASLR, but unfortunately, the problem still exists in the current Linux system.

Introduction to Vulnerability

The vulnerability could be attributed to ASLR Linux to randomize all Mmap base addresses when the stack size is set to unrestricted. In other words, when using legacy mode to simulate x86_32 on i386 and x86_64, the program only randomly stacks and executables, ignores other mmapped files (library files, VDSO, etc.), and even in some Linux versions, executables are not randomized.

The Mmap_legacy_base () function is used to calculate the location of the library file when the stack size is set to unrestricted:

Static unsigned long mmap_legacy_base (void)

{

if (Mmap_is_ia32 ())

return task_unmapped_base;

Else

return task_unmapped_base + mmap_rnd ();

}

When the system is running in a local 32-bit system (i386) or 32-bit analog system (X86_32), the function does not add any random offsets.

Exploit exploits

An attacker simply sets the stack size to "unrestricted" and then runs a 32-bit application, which is primarily used to run (attack) a power-up application, such as setuid or Setgid.

Effect

An attacker with the ability to run 32-bit applications on a x86 system could exploit this vulnerability to disable ASLR for any application, including setuid and setgid programs. It is important to note that it is not a vulnerability in itself, but a way to disable ASLR, which can be used by an attacker in conjunction with another vulnerability. Due to the high utilization rate of i386 (Intel 80386), the affected systems and users are still very broad.

Repair

The patch for this vulnerability is as follows:

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21st

22

23

24

25

26

27

28

29

30

31

32

Diff--git A/arch/x86/mm/mmap.c B/arch/x86/mm/mmap.c

Index 96BD1E2: 389939f 100644

---a/arch/x86/mm/mmap.c

+ + B/ARCH/X86/MM/MMAP.C

@@ -94,18 +94,6 @@ -94,18 unsigned long mmap_base (unsigned long rnd)

}

/*

-* bottom-up (Legacy) layout on x86_32 do not support randomization, x86_64

-* does, but isn't when emulating x86_32

- */

-static unsigned long mmap_legacy_base (unsigned long rnd)

-{

-if (Mmap_is_ia32 ())

-Return task_unmapped_base;

-Else

-Return task_unmapped_base + rnd;

-}

-

-/*

* This function, called very early during the creation of a new

* Process VM image, sets up which VM layout function to use:

*/

@@ -116,7 +104,7 @@ -116,7 arch_pick_mmap_layout (struct mm_struct *mm)

if (Current->flags & Pf_randomize)

Random_factor = Arch_mmap_rnd ();

-Mm->mmap_legacy_base = Mmap_legacy_base (random_factor);

+ mm->mmap_legacy_base = task_unmapped_base + random_factor;

if (Mmap_is_legacy ()) {

Mm->mmap_base = mm->mmap_legacy_base;

This patch enables the randomization of library files, VDSO, and MMAP requests on I386 and x86_32 in legacy mode and will fix the issue in the next Linux release

http://www.biyinjishi.com/products/a70-b7010/

http://www.biyinjishi.com/products/a70-b7015/

http://www.biyinjishi.com/products/a70-b7020/

Http://www.biyinjishi.com/products/a70-b7050/

http://www.biyinjishi.com/products/a70-b7060/

http://www.biyinjishi.com/products/a70-b7099/

http://www.biyinjishi.com/products/a99-b9920/

http://www.biyinjishi.com/products/a99-b9925/

http://www.biyinjishi.com/products/a99-b9960/

http://www.biyinjishi.com/products/a99-b9999/

Linux ASLR Vulnerability: An attacker can disable ASLR indefinitely