I have applied the exec-shield patch from Ingo Malnar and I am trying to understand how it works. In the announcement of the patch (http://www.kerneltrap.org/node.php?id=644) Ingo says something about the ascii-armor area which at i386 is the area 0-16MB. Can anyone briefly explain me what is this area and why is protected from ascii-based overflow exploits?
Thank you in advance.
Most overflow attacks work against functions of the sort of "strcpy" and friends. As such, the attack payload cannot contain certain characters, or the buffer will be terminated at that point, and the attack won't succeed.
The forbidden characters vary, depending on the precise place where the overflow occures. One character that is universally forbidden, however, is the "NULL" character (ASCII 0).
Most attacks work this way: The attacker writes the code she wants to inject into the attacked process (depending on functionality, this may be called "shell code", "reverse shell code", and the general name is "egg"), and then inject the address of the egg into a pointer that causes the egg to execute.
The idea behind ASCII armouring buffers is to mandate a NULL in the buffer's address. The idea is that the egg is injected into an address, which cannot be then sent into the pointer. This, theoretically, foils the entire attack.
Another idea presented in the discussion was to have the buffer in a different address each time. This variation means that the attacker has the theoretical ability to send the buffer's address, but does not know where this buffer is.
For more information about exploiting stack overruns, I recommend Aleph1's classic "Smashing the stack for fun and profit". Look it up in Google or get it from phrack magazin (phrack.org - I think it was phrack #49. Not sure).
Shachar
-- Shachar Shemesh Open Source integration consultant Home page & resume - http://www.shemesh.biz/
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
