User: Password:
Subscribe / Log in / New account

Make the stack less fragile

Make the stack less fragile

Posted Feb 5, 2012 10:38 UTC (Sun) by epa (subscriber, #39769)
In reply to: Make the stack less fragile by nix
Parent article: Format string vulnerabilities

Not so: clearly the generated code for a function such as foo(int a, int b) would first check that exactly two items are on the stack. If the integer at the top of the stack is not 2, then something has gone very wrong.

The only case where this integer number of arguments would change the program's behaviour (as opposed to redundantly stating what is already expected to be the case) is for varargs functions. And in those cases you validate the number of arguments on the stack against an expected number. If the format string is "%d%d" but there are 3 values on the stack, again something is wrong.

To cause an exploit the attacker must both manipulate the format string and somehow overwrite the number-of-arguments value at the top of the stack. It is no longer possible to take too many or too few values from the stack because of a format string vulnerability or other varargs bug.

(Log in to post comments)

Make the stack less fragile

Posted Feb 5, 2012 21:19 UTC (Sun) by nix (subscriber, #2304) [Link]

Well, yes, the attack vector is exactly that: overwrite the num-of-args value, and all bets are off.

Make the stack less fragile

Posted Feb 6, 2012 11:37 UTC (Mon) by epa (subscriber, #39769) [Link]

Perhaps I don't understand what you mean. To attack a varargs function such as printf() you would need to attack *both* the format string vulnerability and smash the stack somehow to overwrite the number-of-args value. This is harder than just exploiting the format string without stack protection.

So if printf() gets the format string "%d %d" but number-of-args != 2, it aborts. You would need to find a format string vulnerability *and* a stack-overwriting exploit to change the number-of-args value.

If you overwrite just the number-of-args value at the top of the stack, this is merely a denial of service attack for a call foo(a, b). It would not cause foo() to somehow take three arguments instead, because the number of args to pop off the stack is compiled in. Given all the other fun and games you can get by overwriting values on the stack (the return address in particular), I don't think that a number-of-args value presents a juicy target.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds