Date: Tue, 20 Jun 2017 14:32:17 +0100 From: Pawel Biernacki <pawel.biernacki@gmail.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Vladimir Terziev <vterziev@gvcgroup.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: The Stack Clash vulnerability Message-ID: <CAA3htvujThwvzFgR73edmY=Y4YBf%2BgbXES0k2HhwAkMJw2wzBQ@mail.gmail.com> In-Reply-To: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> References: <F9B7242B-ED83-45C5-9196-6FD095AD9497@gvcgroup.com> <20170620131514.vdynljgemuz4fp3c@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Shawn, Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=0, which was initially enabled in the menu with hardening options. Pawel. On 20 June 2017 at 14:15, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > > Hi, > > > > I assume FreeBSD security team is already aware about the Stack Clash > vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > > > Just in case here is the analyses document of Qualys: > > > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > FreeBSD is indeed affected. I've written a PoC, which works even with > the stack guard enabled: > > https://github.com/lattera/exploits/blob/master/FreeBSD/ > StackClash/001-stackclash.c > > Thanks, > > -- > Shawn Webb > Cofounder and Security Engineer > HardenedBSD > > GPG Key ID: 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > -- One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA3htvujThwvzFgR73edmY=Y4YBf%2BgbXES0k2HhwAkMJw2wzBQ>