Offset2lib attacks bypass 64-bit Linux kernel Protection
Security researcher Hector Marco released the release of the ASLR protection bypass for 64-bit Linux kernel. slide and the paper provide download. This attack is called offset2lib. The implementation of ASLR is in the Linux kernel, in the GNU/Linux release, when an application is loaded into the memory, a random address is first found to load the first shared library, and the shared library to be loaded follows the address of the previously loaded object, the leakage of a memory address is enough to make address randomization useless. Even GOT (Global Offset Table) address leakage is not necessary, since most of the GNU/Linux distributions (except each source code package such as Gentoo needs to be compiled by itself) are pre-compiled binary files, the offset values of these releases are the same.
In the POC, the authors easily bypass NX (which cannot be executed on the stack), ASLR (address randomization), and PIE (randomization for code segments ), SSP (whether to detect the modified canary in the output stack of the Pressure stack) combination defense, offset2lib attack to bypass normal GNU/Linux overall defense against vulnerabilities to give a fatal blow.The exposure of offset2lib caused a wide discussion in the 0ld sch00l hacker community. Over the years, the arrogance of the Linux kernel developer community has led to this level of attacks, over the years, the repair-and-supplement-style defense design collapsed overnight. Some people even doubt whether these defense codes from the "ancient" era still exist... although the offset2lib attack is relatively easy to fix in the current kernel code, you do not know whether the NSA and other intelligence departments have used the vulnerability? Interestingly, this attack method is ineffective for Grsecurity/PaX. The implementation of Grsecurity/PaX as early as 13 years ago has eliminated the possibility of such attacks, unfortunately, only Gentoo and Debian Mempo provide direct use of Grsecurity/PaX. Of course, the Linux kernel community has always copied Grsecurity/PaX to prevent it from entering the backbone, which may be a Community political issue. However, the poor copy is also the main cause of this attack.Btw: normal GNU/Linux security is relative to Windows.
This article permanently updates the link address: