A start

T_B T_B at sympatico.ca
Sun Jan 11 17:30:12 PST 2004


"Ian Molton" <spyro at f2s.com> wrote in message
news:20040112003334.066ab988.spyro at f2s.com...
> On Sun, 11 Jan 2004 17:48:44 -0500
> "T_B" <T_B at sympatico.ca> wrote:
>
> >
> > [/usr/src]# ./fail2
> >         before foo()
> >         Segmentation fault
> >
> > [/usr/src]# ./fail3
> >         before foo()
> >         fail3: stack smashing attack in function fooAborted
>
> how is case 3 better than case 2 ?
>
According to the write-up on Propolice at
http://wiki.linuxfromscratch.org/index.php?pagename=ProPolice%20Smashing%20Stack%20Protector :

        "-fstack-protector-all protects all functions regardless of array
size, while -fstack-protector does not protect arrays of length seven or
less."

fail.c uses a buffer size of 7.  The test shows that this type of exploit is
only caught by propolice in case 3 when fail.c is compiled
with -fstack-protect-all.  fail.c is a simple test for vulnerability, thus
the segmentation fault error is indicative its presence.  The exploit code
examples in the libsafe source tar file actually spawn a new shell if
successful.

In my testing, propolice was not able to stop the libsafe canary-exploit
from spawning a shell - even when compiled with -fstack-protect-all.
However, PaX in grsecurity always caught it.

Bill





More information about the hlfs-dev mailing list