The “elegance”of Linux vulnerabilities: rare ways to bypass the ASLR and DEP protection mechanisms-vulnerability warning-the black bar safety net

2016-11-28T00:00:00
ID MYHACK58:62201681608
Type myhack58
Reporter 佚名
Modified 2016-11-28T00:00:00

Description

! The recent foreign researchers published a exp code in the finished patch to the Fedora and other Linux system on the drive-by attacks, in order to install keyloggers, backdoors and other malicious software. This exp is for the GStreamer framework in a memory-corruption vulnerability that GStreamer is an open source multimedia framework, is present in mainstream Linux distributions. We all know that the address space layout randomization(ASLR and Data Execution protection DEP is linux system two safety measures, the purpose is to let the software exp is more difficult to perform. But the new released of the exp by a rare way to bypass the two security measures--foreign media also specifically highlighted the vulnerability of the“elegant”features. The researchers wrote a flac multimedia file, will be able to reach exploit it! ASLR is a method for buffer overflow security protection technology, through the heap, stack, shared library mapping of the linear area layout randomization, and by increasing the attacker to predict the destination address of the difficulty, prevent the attacker directly locate the attack code location, to prevent overflow attacks the purpose of a technology. And DEP can be in memory to perform additional checking to help prevent running on the system the malicious code. No script exp Unlike traditional ASLR and DEP bypass method is different, the exp there is no pass code to tamper with the memory layout and other environmental variables. But through more difficult to a byte-code sort of thorough close protection. Since no JavaScript is also not required other and the memory communication code, so other attacks can't, this attack could still be feasible. “This exp is ridiculous”, researcher Chris Evans in Monday's blog post, wrote,“but it proves no script exp is also feasible, even on a 64-bit ASLR there are still ways to be able to read and write memory operations, and is capable of moving steadily in a step-by-step attack and then get control.” Azimuth Security Advanced Research Institute Dan Rosenberg is particularly good at the Linux vulnerability of the defense. In an e-mail he agrees that Chris Evans views: This exp is quite powerful, because it managed to bypass the ASLR and NX and other advanced protection measures, and does not need the target software program interaction. More to say, when you want to attack a browser vulnerability, exp with JavaScript to affect the memory layout. Similarly, when you want to attack a local kernel vulnerability, the exp will initiate a system call to affect the target environment. But now the scene is very different, since exp is a separate media file, the hackers have no chance in the attack in the process of adjustment. ! Evans subsequently released a FLAC media file, it can run in the default version of Fedora 24 on which comes preloaded with the latest version of GStreamer in. Evans said, write Ubuntu exp easier, because he has no ASLR, RELRO such as defensive measures, even in the latest 16. 04 LTS version. But his exp still need to rewrite it in addition to Fedora 24 of the other linux versions run. Although the attack is for GStreamer to FLIC File format decoder, Evans said the attack target is the Rhythmbox Media Player the binary code. Totem player can also use a similar method of attack. Exp download: https://security.appspot.com/security/flic/fedora_flx_exploit.flac only for Fedora 24) Exploit more trouble This exp of academic research value than practical value to get high, because if you are in the other linux version running on it needs to be rewritten. And since the on linux player media software the user itself is small, could be using the scope even less. On Tuesday, the Ubuntu released a patch, after few days there should be more manufacturers to follow. This vulnerability is exactly elegant or not, are interested in can be moved step-click below for the original link.