| Title | Dynamic Loader Oriented Programming on Linux |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Kirsch, Julian, Bierbaumer, Bruno, Kittel, Thomas, Eckert, Claudia |
| Conference Name | Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-5321-2 |
| Keywords | Address Space Layout Randomization Determinism, composability, Dynamic Loader, glibc, Linux, Loader Oriented Programming, Metrics, pubcrawl, Software Exploitation, software security, Software Vulnerability, taint analysis |
| Abstract | Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as wx memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiederganger1-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386/x86\_64 Linux. Wiederganger-attacks abuse determinism in Linux ASLR implementation combined with the fact that (even with protection mechanisms such as relro and glibc's pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiederganger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86\_64/i386 Linux to date. We believe Wiederganger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP). |
| URL | http://doi.acm.org/10.1145/3150376.3150381 |
| DOI | 10.1145/3150376.3150381 |
| Citation Key | kirsch_dynamic_2017 |
Dynamic Loader Oriented Programming on Linux