14 May 2006 Marcus   » (Master)

New things in 10.1 from a security point of view.

Format string exploits got harder, thanks to FORTIFY_SOURCE and glibc 2.4.

glibc now checks if %n (the critical point in format string exploits) appear in writeable memory, and if yes, it will abort. Considers this example:

#include <stdio.h>
#include <string.h>

extern int f(char *f) { char *buf = malloc(strlen(f)+1);

strcpy(buf, f); printf(buf,"hello world"); } int main(int argc, char **argv) { f("%s\n%n%n%n"); }


$ gcc -O2 -o xx xx.c
$ ./xx
hello world
Segmentation fault
Exploit successful.


$ gcc -O2 -o xx xx.c -D_FORTIFY_SOURCE=2
$ ./xx
hello world
*** %n in writable segment detected ***
Exploit only successful in getting a controlled abort(), but no code execution.

This requires code compiled with the -D_FORTIFY_SOURCE=2 define, which all packages with RPM_OPT_FLAGS in SUSE Linux are, which are around 90% - 95%.

(Of course I know that almost all format string exploits have been fixed in the meantime. But there might still be some left.)

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!