seeing is believing

Packet Storm Advisory 2014-1204-1 - Offset2lib: Bypassing Full ASLR On 64bit Linux

Packet Storm Advisory 2014-1204-1 - Offset2lib: Bypassing Full ASLR On 64bit Linux
Posted Dec 5, 2014
Authored by Hector Marco, Ismael Ripoll | Site packetstormsecurity.com

The release of this advisory provides exploitation details in relation a weakness in the Linux ASLR implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. These details were obtained through the Packet Storm Bug Bounty program and are being released to the community.

tags | advisory, bug bounty, packet storm
systems | linux
MD5 | a5d4f2cb712163a7ebbd72e95f1856ec

Packet Storm Advisory 2014-1204-1 - Offset2lib: Bypassing Full ASLR On 64bit Linux

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+------------------------------------------------------------------------------+
| Packet Storm Advisory 2014-1204-1 |
| http://packetstormsecurity.com/ |
+------------------------------------------------------------------------------+
| Title: Offset2lib: Bypassing Full ASLR On 64bit Linux |
+--------------------+---------------------------------------------------------+
| Release Date | 2014/12/04 |
| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |
| Researchers | Hector Marco and Ismael Ripoll |
+--------------------+---------------------------------------------------------+
| System Affected | 64 bit PIE Linux |
| Classification | 1-day |
+--------------------+---------------------------------------------------------+

+----------+
| OVERVIEW |
+----------+

The release of this advisory provides exploitation details in relation
a weakness in the Linux ASLR implementation. The problem appears when
the executable is PIE compiled and it has an address leak belonging to
the executable.

These details were obtained through the Packet Storm Bug Bounty program
and are being released to the community.

+------------------------------------------------------------------------------+

+---------+
| DETAILS |
+---------+

An attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.)
by knowing only an address belonging to the application and the offset2lib value.

+------------------------------------------------------------------------------+

+------------------+
| PROOF OF CONCEPT |
+------------------+

The proof of concept exploit code is available here:
http://packetstormsecurity.com/files/129398

+------------------------------------------------------------------------------+

+---------------+
| RELATED LINKS |
+---------------+

http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html

+------------------------------------------------------------------------------+


+----------------+
| SHAMELESS PLUG |
+----------------+

The Packet Storm Bug Bounty program gives researchers the ability to profit
from their discoveries. You can get paid thousands of dollars for one day
and zero day exploits. Get involved by contacting us at
getpaid@packetstormsecurity.com or visit the bug bounty page at:

http://packetstormsecurity.com/bugbounty/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlSBA04ACgkQrM7A8W0gTbG0jwCdH5CHOIDO9ELRcrPhQmf5FF4z
TgQAn2zuwadnWdMueC8gUQPT5gCmrQyp
=iegV
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    10 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close