Wednesday, April 22, 2009

Local bypass of Linux ASLR through /proc information leaks

EDIT2: Thanks to the efforts of Jake Edge who noticed our presentation, /proc/pid/stat information leak is now at least partially patched in mainline kernel, since
EDIT1: This is featured in an LWN article by Jake Edge

Tavis Ormandy and myself talked about locally bypassing address space layout randomization (ASLR) in Linux in a lightning talk at CanSecWest.

From Linux 2.6.12 to Linux 2.6.21, you could completely bypass ASLR when targeting local processes by reading /proc/pid/maps. Since Linux 2.6.22, if you cannot ptrace "pid", then you will see an empty /proc/pid/maps.

It has been known for at least 7 years now that /proc/pid/stat and /proc/pid/wchan could also leak sensitive information. Reading this information has been prevented in GRSecurity since the beginning as well as in this patch.

The question was: could you exploit this information to bypass ASLR in practice?
If you want to find out, it's easy: we've just published the slides and Tavis' tool!

1 comment:

  1. Jake Edge has forwarded this information and a patch to the LKML. He also wrote an article on LWN about this issue and an issue in get_random_int() disclosed at BlackHat by Hagen Fritsch.