Dynamic Loader Oriented Programming On Linux presented at deepsec 2017

by Claudia Eckert, Thomas Kittel, Julian Kirsch, Bruno Bierbaumer,

Summary : Memory corruptions are still the most prominent venue to attack
otherwise secure programs. In order to make exploitation of soft-
ware bugs more difficult, defenders introduced a vast number of
post corruption security mitigations, such as w⊕x memory, Stack
Canaries, and Address Space Layout Randomization (ASLR), to only
name a few. In the following, we describe the Wiedergänger 1 -Attack,
a new attack vector that reliably allows to escalate unbounded array
access vulnerabilities, occurring in specifically allocated memory
regions, to full code execution on programs running on i386 / x86_64
Wiedergänger-attacks abuse determinism in Linux ASLR imple-
mentation, combined with the fact that (even with protection mecha-
nisms such as relro and glibc’s pointer mangling enabled) there exist
easy-to-hijack, writable (function) pointers in application memory.
To discover such pointers, we use taint analysis and backwards
slicing at the binary level and calculate an over-approximation of
vulnerable instruction sequences.
To show the relevance of Wiedergänger, we exploit one of the
discovered instruction sequences to perform an attack on Debian 10
(Buster) by overwriting structures used by the dynamic loader (dl)
that are present in any application depending on glibc and the
dynamic loader. In order to show generality, we solely focus on
data structures dispatched at program shutdown, as this is a point
that arguably all applications eventually have to reach. This results
in a reliable compromise that effectively bypasses all protection
mechanisms deployed on x86_64 / i386 Linux to date.
We believe Wiedergänger to be part of an under-researched
type of control flow hijacking attacks, targeting internal control
structures of the dynamic loader, for which we propose to use the
terminology Loader Oriented Programming (LOP).