From owner-freebsd-security@freebsd.org Tue Jun 20 13:34:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61127D9916F for ; Tue, 20 Jun 2017 13:34:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 158F182FF0 for ; Tue, 20 Jun 2017 13:34:28 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qk0-x231.google.com with SMTP id d14so57350691qkb.1 for ; Tue, 20 Jun 2017 06:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wsMHHBH7YkoKfb8yWEvPY8ELi7mHY5q5rESelJtBSgU=; b=G/M/zZeOYZOzI2d5gukjZ+HOxQ2r42EYufoNeS+uxYulXFc/dinlok/nA0wSR/zL4D q85j6ToDu4OEyOPq4RbNX1tpeSdyhhxpBUdm3d49PKDoXcHQkyXpXfmTXtqVQyVVfVdo 5SJKR4a8COdPuEHMX4N6OutBSRGkxiYHTBWEDUwaRM0R3RmCehRXx3Ej/q0gOerkRFgr VrwZ851mznTGiwhLJIuwp7MWZg2T4RfWbpqp3AXT3jB3e0/zMpFkHJ02NrO5K6WVzOpu RREHMIJw7aYi7HaUlNYhWqW5wVygow3qx2/87gUZHTDSILwtnlzqTlGz3YIlSDsoOKkv DE8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wsMHHBH7YkoKfb8yWEvPY8ELi7mHY5q5rESelJtBSgU=; b=QGHIGrIKgoERDGoae/51vfLbqKEvoLgsCv4j/GkzdBP5eYW4DrRuvTU4Kzi+1QkAww Euu5jWIo1ueMJ3F2vA8hdSJ6Cens5M+GYk+k+VOABXbNasEUOVt2BFeeXtn/wk/xT5QH 7JlM+s+ho1P8DZsE2MnFLVEkaERva1Un3SV8vJw8YehAn3imTMHnxxcfPKvhZHGi7r+h Z7UcYGT4rOExI5nniMrbXCRPgZvsSCfooYNFTP68WNbfQmeU3ldVrr2XjG8NUJmP2SMm Zb2jMWuMMDMOR6AfwrXV09VZ2UuaXDq2DhrkshD4b3XO4HmkbTh8iG1mzs8BQmH2+LlH 6vhQ== X-Gm-Message-State: AKS2vOyzHeWkG7SLrRk9KV6kcR/UVOHh/qu7tC09JTr6cJqyFp5HLqBB MC+MSiQuWDKNeGER X-Received: by 10.55.20.95 with SMTP id e92mr30278844qkh.74.1497965667078; Tue, 20 Jun 2017 06:34:27 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.66]) by smtp.gmail.com with ESMTPSA id o50sm8944337qto.55.2017.06.20.06.34.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 20 Jun 2017 06:34:26 -0700 (PDT) Date: Tue, 20 Jun 2017 09:34:26 -0400 From: Shawn Webb To: Pawel Biernacki Cc: Vladimir Terziev , "freebsd-security@freebsd.org" Subject: Re: The Stack Clash vulnerability Message-ID: <20170620133426.ysq47lyb7y666qrq@mutt-hbsd> References: <20170620131514.vdynljgemuz4fp3c@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="soa7tmuty6bursr3" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170428 (1.8.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jun 2017 13:34:28 -0000 --soa7tmuty6bursr3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Right, because I use libprocstat. Instead of using libprocstat to dynamically figure out the start of the stack, you can do other tricks to find out where the stack lies. Feel free to modify the code to better suit your environment. On Tue, Jun 20, 2017 at 02:32:17PM +0100, Pawel Biernacki wrote: > Hi Shawn, >=20 > Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=3D0, > which was initially enabled in the menu with hardening options. >=20 > Pawel. >=20 >=20 > On 20 June 2017 at 14:15, Shawn Webb wrote: >=20 > > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote: > > > Hi, > > > > > > I assume FreeBSD security team is already aware about the Stack Clash > > vulnerability, that is stated to affect FreeBSD amongst other Unix-like= OS. > > > > > > Just in case here is the analyses document of Qualys: > > > > > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > > FreeBSD is indeed affected. I've written a PoC, which works even with > > the stack guard enabled: > > > > https://github.com/lattera/exploits/blob/master/FreeBSD/ > > StackClash/001-stackclash.c > > > > Thanks, > > > > -- > > Shawn Webb > > Cofounder and Security Engineer > > HardenedBSD > > > > GPG Key ID: 0x6A84658F52456EEE > > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > >=20 >=20 >=20 > --=20 > One of God's own prototypes. A high-powered mutant of some kind never > even considered for mass production. Too weird to live, and too rare to d= ie. --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --soa7tmuty6bursr3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllJJGAACgkQaoRlj1JF bu5rABAAx1hVI1NQ1HIWIpbHqEo3QoHJJ/tNg2pXL9CzgR7a/iJ0sd9nBwJeRlxy jVg2xfFs2Z72C1c+QxnCj60O2AbAB2a3OiFHQKLKgOYXFYfKmu3ckI5gp8IL6LNI O+g+8keqWoXpMqGkj9C8s8weegDvFfaKsTtUWmabyC5lJJTddnMrG+JlcGs5LbZH yGvoDeUbbqjNNcSqi+PZA08qTQBmcdg7LTlqceNpg9Z2jptPeZbQaztbk/RDPGGT pazNp98etd/n9qwn7IBC1s5r8KlN03fV3AmO3mcrJ2tauWd+Yy3lLcHp6liBatAa ty2Gj26CrQ0WnrrEE8VhRKbH6zByDhELZRpTWNkdP3I13V78vl91asWB7PaZGEki NYVh8oVMDF8MAjuXRO02uNr/Ayox4PUcc5gIHy28vq1oePd/X1iLikTK051A9mCW YGR/Th3KDDzFPvgq5xoUlm9js9gLxInK4psBpTGww7BtT6rb0aGZcBCleIxjZtFJ G8uCiDPUY9Gwd9VW98m7maC4rySrPyUWVPtVvsoFDlbmQpAQ2pR39ztlsb/oncfB jhvA9v6FlJqeqtPdKlpVnyMHtvZn1LKPf8VkKzQPDNw/4u0FcI+VNUtiYkmvb6dA tZ+HYqGZ8MPKPlTWHV2XhxBmyr3XBwZwBYwdf+CJwRcfDeGKfoY= =yjG7 -----END PGP SIGNATURE----- --soa7tmuty6bursr3--