Date: Tue, 20 Jun 2017 09:34:26 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Pawel Biernacki <pawel.biernacki@gmail.com> Cc: Vladimir Terziev <vterziev@gvcgroup.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: The Stack Clash vulnerability Message-ID: <20170620133426.ysq47lyb7y666qrq@mutt-hbsd> In-Reply-To: <CAA3htvujThwvzFgR73edmY=Y4YBf%2BgbXES0k2HhwAkMJw2wzBQ@mail.gmail.com> References: <F9B7242B-ED83-45C5-9196-6FD095AD9497@gvcgroup.com> <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> <CAA3htvujThwvzFgR73edmY=Y4YBf%2BgbXES0k2HhwAkMJw2wzBQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--soa7tmuty6bursr3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Right, because I use libprocstat. Instead of using libprocstat to dynamically figure out the start of the stack, you can do other tricks to find out where the stack lies. Feel free to modify the code to better suit your environment. On Tue, Jun 20, 2017 at 02:32:17PM +0100, Pawel Biernacki wrote: > Hi Shawn, >=20 > Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=3D0, > which was initially enabled in the menu with hardening options. >=20 > Pawel. >=20 >=20 > On 20 June 2017 at 14:15, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: >=20 > > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > > > Hi, > > > > > > I assume FreeBSD security team is already aware about the Stack Clash > > vulnerability, that is stated to affect FreeBSD amongst other Unix-like= OS. > > > > > > Just in case here is the analyses document of Qualys: > > > > > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > > FreeBSD is indeed affected. I've written a PoC, which works even with > > the stack guard enabled: > > > > https://github.com/lattera/exploits/blob/master/FreeBSD/ > > StackClash/001-stackclash.c > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder and Security Engineer > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > >=20 >=20 >=20 > --=20 > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to d= ie. --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --soa7tmuty6bursr3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllJJGAACgkQaoRlj1JF bu5rABAAx1hVI1NQ1HIWIpbHqEo3QoHJJ/tNg2pXL9CzgR7a/iJ0sd9nBwJeRlxy jVg2xfFs2Z72C1c+QxnCj60O2AbAB2a3OiFHQKLKgOYXFYfKmu3ckI5gp8IL6LNI O+g+8keqWoXpMqGkj9C8s8weegDvFfaKsTtUWmabyC5lJJTddnMrG+JlcGs5LbZH yGvoDeUbbqjNNcSqi+PZA08qTQBmcdg7LTlqceNpg9Z2jptPeZbQaztbk/RDPGGT pazNp98etd/n9qwn7IBC1s5r8KlN03fV3AmO3mcrJ2tauWd+Yy3lLcHp6liBatAa ty2Gj26CrQ0WnrrEE8VhRKbH6zByDhELZRpTWNkdP3I13V78vl91asWB7PaZGEki NYVh8oVMDF8MAjuXRO02uNr/Ayox4PUcc5gIHy28vq1oePd/X1iLikTK051A9mCW YGR/Th3KDDzFPvgq5xoUlm9js9gLxInK4psBpTGww7BtT6rb0aGZcBCleIxjZtFJ G8uCiDPUY9Gwd9VW98m7maC4rySrPyUWVPtVvsoFDlbmQpAQ2pR39ztlsb/oncfB jhvA9v6FlJqeqtPdKlpVnyMHtvZn1LKPf8VkKzQPDNw/4u0FcI+VNUtiYkmvb6dA tZ+HYqGZ8MPKPlTWHV2XhxBmyr3XBwZwBYwdf+CJwRcfDeGKfoY= =yjG7 -----END PGP SIGNATURE----- --soa7tmuty6bursr3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170620133426.ysq47lyb7y666qrq>