ABSTRACT
Address-Space Layout Randomization (ASLR) is a technique
used to thwart attacks which relies on knowing the
location of the target code or data. The effectiveness of
ASLR hinges on the entirety of the address space layout
remaining unknown to the attacker. Only executables compiled
as Position Independent Executable (PIE) can obtain
the maximum protection from the ASLR technique since all
the sections are loaded at random locations.
We have identified a security weakness on the implementation
of the ASLR in Linux when the executable is PIE
compiled, named offset2lib. A PoC attack is described to
illustrate how the offset2lib can be exploited. Our attack
bypasses the three most widely adopted and effective protection
techniques: No-eXecutable bit (NX), address space
layout randomization (ASLR) and stack smashing protector
(SSP). A remote shell is got in less than one second.
Finally, how the RenewSSP technique can be used as a
workaround is discussed and how to remove the offset2lib
weakness from the current ASLR implementation is also presented.
Address-Space Layout Randomization (ASLR) is a technique
used to thwart attacks which relies on knowing the
location of the target code or data. The effectiveness of
ASLR hinges on the entirety of the address space layout
remaining unknown to the attacker. Only executables compiled
as Position Independent Executable (PIE) can obtain
the maximum protection from the ASLR technique since all
the sections are loaded at random locations.
We have identified a security weakness on the implementation
of the ASLR in Linux when the executable is PIE
compiled, named offset2lib. A PoC attack is described to
illustrate how the offset2lib can be exploited. Our attack
bypasses the three most widely adopted and effective protection
techniques: No-eXecutable bit (NX), address space
layout randomization (ASLR) and stack smashing protector
(SSP). A remote shell is got in less than one second.
Finally, how the RenewSSP technique can be used as a
workaround is discussed and how to remove the offset2lib
weakness from the current ASLR implementation is also presented.
more here........http://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf