-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: libsafe Version: up to 2.0-11 URL: http://www.research.avayalabs.com/project/libsafe/ Author: Wojciech Purczyński <cliphat_private> Date: March 14, 2002 Issue: ====== Libsafe provides ineffective protection against format string exploit attacks that may be trivially bypassed. Description: ============ The libsafe library protects a process against the exploitation of buffer overflow vulnerabilities in process stacks. Libsafe works with any existing pre-compiled executable and can be used transparently, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. Libsafe has been shown to detect several known attacks and can potentially prevent yet unknown attacks. Details: ======== 1. Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe. These flags definied in SUSv2 are not defined in C standard (quoting from printf(3) manpage): ' For decimal conversion (i, d, u, f, F, g, G) the output is to be grouped with thousands' grouping characters if the locale information indicates any. Note that many versions of gcc cannot parse this option and will issue a warning. SUSv2 does not include %'F. I For decimal integer conversion (i, d, u) the output uses the locale's alternative output digits, if any (for example, Arabic digits). However, it does not include any locale definitions with such outdigits defined. (glibc 2.2 only) Example exploit: printf("%'n", &target); printf("%In", &target); 2. Libsafe *printf function wrappers incorrectly parse argument indexing in format strings. They always assume that the n-th conversion specification uses n-th argument and does not properly count real number of arguments used. Thus, arguments, whose index numbers are above the total number of conversion specifications, are not verified at all. Example exploit: printf("%2$n", "unused argument", &target); Total number of % format string used: 1 ("%2$n") Number of argument used: 2 Fix: ==== On March 18, 2002 new version of libsafe 2.0-12 has been released fixing above security issue. - -- Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8mGXlC+8U3Z5wpu4RAtY3AKC4dxeHI46za4QYnK+QnD0NNJyIiACfQHTM prjjyteIjdLe6MPWszO0cjI= =h+8/ -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 12:47:41 PST