| 1 |
Executive summary |
| 2 |
|
| 3 |
With Gentoo Hardened no ebuilds compiled with a hardened toolchain with |
| 4 |
version 4.8 or higher should be affected by this issue as |
| 5 |
-fstack-check=specific is enabled by default. The only known exceptions |
| 6 |
are media-video/vlc and (on HPPA) dev-lang/tcl wich disable this feature. |
| 7 |
|
| 8 |
|
| 9 |
Introduction |
| 10 |
|
| 11 |
The Gentoo Hardened team has been made aware of a set of vulnerabilities |
| 12 |
known as Stack Clash. |
| 13 |
|
| 14 |
These vulnerabilities involve the process stack pointer jumping onto |
| 15 |
other memory regions allowing the attacker to either modify the contents |
| 16 |
of the stack itself or the memory region on which the stack overflows. |
| 17 |
As a result, an attacker may be able to modify the data of affected |
| 18 |
programs or their execution flow and trigger the execution of arbitrary |
| 19 |
code. |
| 20 |
|
| 21 |
The existence of such issues has been known since at least 2005 when |
| 22 |
Gael Delalleau presented an example of such an issue affecting mod_php |
| 23 |
in apache. |
| 24 |
|
| 25 |
|
| 26 |
Requirements to perform the attack |
| 27 |
|
| 28 |
* The attacker needs to be able to move the stack pointer onto an |
| 29 |
adjacent memory region. |
| 30 |
* The attacker needs to ensure this happens without accessing the gap |
| 31 |
between the stack and the next region. |
| 32 |
* The attacker needs to be able overwrite the area where the stack |
| 33 |
overlaps with the other section in a meaningful way. For example, |
| 34 |
overwriting the return address of a function to take control of the |
| 35 |
execution flow. |
| 36 |
|
| 37 |
|
| 38 |
Effect of Gentoo Hardened protections |
| 39 |
|
| 40 |
As a way to make exploitation of such issues harder vanilla Linux |
| 41 |
kernels introduced a 4kiB gap between the stack and the other regions |
| 42 |
called guard page, on PaX based kernels like hardened-sources the size |
| 43 |
of this gap defaults at 64kiB and can be modified using |
| 44 |
/proc/sys/vm/heap_stack_gap. As shown by Qualys' advisory, such gap |
| 45 |
isn't large enough for all allocations and can be jumped over in some cases. |
| 46 |
|
| 47 |
It should be taken into account that this measure was never meant as a |
| 48 |
final solution as this problem can only be addressed correctly during |
| 49 |
code generation. Therefore, increasing the size of this gap will not |
| 50 |
deter all exploitation attempts as large enough allocations may still be |
| 51 |
able to jump over the gap. It will though affect the processes running |
| 52 |
on the system and limit the amount of virtual memory space available to |
| 53 |
them. Although this might not be a problem on 64 bit architectures where |
| 54 |
the virtual memory space is quite large, on 32 bit architectures this |
| 55 |
may still be problematic and should be taken into account before using a |
| 56 |
large heap_stack_gap value. |
| 57 |
|
| 58 |
The Gentoo Hardened toolchain also makes use of gcc's Stack Checking |
| 59 |
feature using -fstack-check=specific since gcc 4.8. This makes gcc add |
| 60 |
stack probing code when large allocations are made ensuring that the |
| 61 |
guard page or the stack gap are accessed and preventing the attack by |
| 62 |
killing the process. |
| 63 |
|
| 64 |
To be fully effective -fstack-check=specific requires that all the |
| 65 |
source files used by the process have been compiled making use of this |
| 66 |
feature. This is because gcc may optimize away some of the checks that |
| 67 |
are considered redundant. |
| 68 |
|
| 69 |
An assesment over the portage tree hints that only two ebuilds disable |
| 70 |
this feature. The ebuild for media-video/vlc disables it on all packages |
| 71 |
to address Gentoo bug #499996. On the other hand, the ebuild for |
| 72 |
dev-lang/tcl disables this feature on HPPA builds to address Gentoo bug |
| 73 |
#280934. |
| 74 |
|
| 75 |
It is possible to check the version of the compiler used on a specific |
| 76 |
ELF binary by checking the value of the .comment section as long as it |
| 77 |
was not stripped. For this the command "$ readelf -p .comment binary" |
| 78 |
can be used, for example to check /usr/bin/whoami run "$ readelf -p |
| 79 |
.comment /usr/bin/whoami". Users of the split-debug portage feature |
| 80 |
should instead check on /usr/lib/debug/. For example the prior example |
| 81 |
for /usr/bin/whoami would be "$ readelf -p .comment |
| 82 |
/usr/lib/debug/usr/bin/whoami.debug". |
| 83 |
|
| 84 |
Prior versions of the toolchain make use of -fstack-protector-all which, |
| 85 |
although not preventing the issue, will make it harder for an attacker |
| 86 |
to take control of the execution flow of the program as depending on how |
| 87 |
the attack is performed the attacker may need to find out the value of |
| 88 |
the canary in the stack. |
| 89 |
|
| 90 |
In this case caution is advised because the amount of ebuilds disabling |
| 91 |
SSP is much larger and, shall the frame of any function provided by the |
| 92 |
binaries generated using these ebuilds end up on the overflowed into |
| 93 |
memory section, the attacker will be able to overwrite |
| 94 |
their return pointer. |
| 95 |
|
| 96 |
Most of the binaries in Gentoo Hardened are also compiled as PIE |
| 97 |
binaries, this allows using ASLR which both vanilla and PaX kernels |
| 98 |
provide with the second being noticeably stronger. This will make it |
| 99 |
harder for an attacker to figure out a valid address on which to return. |
| 100 |
|
| 101 |
Additionally PaX can prevent RWX mappings including the stack itself, |
| 102 |
this makes it more difficult for the attacker to introduce new code |
| 103 |
forcing him to use executable code already present on the process at the |
| 104 |
time of the attack. Keep in mind though that most programs making use of |
| 105 |
JIT compilers will have this feature disabled. |
| 106 |
|
| 107 |
Finally, hardened-sources allows enabling "Deter exploit bruteforcing". |
| 108 |
This feature limits the number of attack attempts per second that can be |
| 109 |
made against SUID binaries making exploitation noticeably harder. |
| 110 |
|
| 111 |
As a result, on hardened-sources the increased entropy provided by ASLR |
| 112 |
will require a large number of attack attempts before succeeding at |
| 113 |
taking control of the program realiably. This, along with the slowdown |
| 114 |
introduced by ''Deter exploit bruteforcing'', will make the attack |
| 115 |
require a huge amount of time to succeed. Because of this, such attacks |
| 116 |
will be unfeasible in the majority of situations. |
| 117 |
|
| 118 |
Conclusion |
| 119 |
|
| 120 |
With the exception of exploits able to make use of media-video/vlc to |
| 121 |
jump over the thread gap and (on HPPA systems) dev-lang/tcl any users of |
| 122 |
Gentoo Hardened who have recompiled their user spaces using gcc 4.8 or |
| 123 |
higher are protected against such issues. |
| 124 |
|
| 125 |
Users of prior versions of gcc have also partial protection against some |
| 126 |
of the exploits thanks to ASLR, PIE, "Deter exploit bruteforcing" and |
| 127 |
even SSP although they should reconsider rebuilding their userspace with |
| 128 |
a more modern version of the hardened toolchain. |
| 129 |
|
| 130 |
|
| 131 |
Further reading reading and sources |
| 132 |
|
| 133 |
* The advisory by Qualys: |
| 134 |
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt |
| 135 |
* Jeff Law on -fstack-check needing full coverage to be effective: |
| 136 |
https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01343.html |
| 137 |
* Grsecurity's project comments on the issue: |
| 138 |
https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php |
| 139 |
* Gentoo's bug regarding CVE-2017-1000377: |
| 140 |
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-1000377 |
| 141 |
* GCC's Stack Checking: |
| 142 |
https://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html |
| 143 |
* Gentoo bug regarding stack checking being disabled on VLC: |
| 144 |
https://bugs.gentoo.org/show_bug.cgi?id=499996 |
| 145 |
* Gentoo bug regarding stack checking being disabled on tcl: |
| 146 |
https://bugs.gentoo.org/show_bug.cgi?id=280934 |
| 147 |
|
| 148 |
Thanks |
| 149 |
|
| 150 |
The Gentoo Hardened team would like to thank the PaX Team for its |
| 151 |
outstanding work and its support whilst writting this statement. |
| 152 |
|
| 153 |
We'd also like to thank Zorry for his hard work introducing |
| 154 |
-fstack-check=specific on the toolchain. |
| 155 |
|
| 156 |
The latest version of this statement can be found on |
| 157 |
https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash |
Archives