If a program attempts to allocate memory on the stack (e.g. via malloc() or stackalloc()), the stack will be marked as executable, causing a segmentation violation and resulting in a segmentation fault. These vulnerabilities are often referred to as “stack canaries” or “stack smashing” vulnerabilities.
The most dangerous of these (CVE-2018-8897) can be exploited by placing a memory disclosure (e.g. a heap overflow) in a location where it is possible to mark the stack executable. This results in the stack being marked as executable, causing a segmentation fault and resulting in a crash.
How Can I Detect If My Program Is Vulnerable?
There are a number of ways to detect if your program is vulnerable. One of the easiest is to add a check for stack execution at the beginning of your program:
if (eax == 0x7ffc) { // stack canary set successfully }
This code makes it possible for you to detect if the stack has been marked as executable. Another way is to add an additional check for a return on the stack that performs no operations, such as:
if (rax == 0x1) { // stack canary set successfully }
This will allow you to detect if the stack has been marked as executable and there is a return instruction on the top of it. Finally, you could use a debugger like GDB or LLDB to analyze what is happening in your program when it crashes and see if there are any memory disclosures.
How do I detect if my application is vulnerable?
There are two techniques for detecting if your application is vulnerable. The first technique is the "stack canary" technique, which involves placing a value that you expect will not be overwritten by the allocation routine in a stack location before it is allocated. If this value is later overwritten, it will cause a segmentation fault because the stack was marked as executable. This technique requires that the stack be directly accessible from user space, which can only be achieved with process-local mappings of the stack such as task stacks and thread stacks.
The second technique is to use a tool such as Valgrind or AddressSanitizer (ASAN). These tools have extensive capabilities for analyzing program behavior and detecting memory corruption vulnerabilities like this one. During testing, these tools should only be used on OS-level processes (e.g., Apache), which ensures that any detected vulnerabilities do not affect other applications in the system.
Stack-Based Buffer Overflow
Stack-based buffer overflow vulnerabilities are one of the most common types of memory corruption vulnerabilities. A stack buffer overflow occurs when a program attempts to allocate memory on the stack but is unable to do so. The attacker can then exploit this by placing a buffer overflow in a location where it is possible to mark the stack executable. This results in the stack being marked as executable, causing a segmentation fault and resulting in a crash.
Timeline
Published on: 09/22/2022 17:15:00 UTC
Last modified on: 09/23/2022 03:17:00 UTC