flat assembler
Message board for the users of flat assembler.

Index > Heap > Linux IA32 System Call Emulation Vulnerability

Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I've just read COSEINC Linux Advisory #2: IA32 System Call Emulation Vulnerability.

However, is it really exploitable? How could you come there with a non-zero RAX[63:32]?
Post 01 Oct 2007, 00:09
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
loco@athlon64:~/Desktop/fasm/examples/elfexe64$ ./hello64
Hello 64-bit world!
Hello 64-bit world!
loco@athlon64:~/Desktop/fasm/examples/elfexe64$ cat hello64.asm

; fasm demonstration of writing 64-bit ELF executable
; (thanks to Franti�ek G�bri�)

; syscall numbers: /usr/src/linux/include/asm-x86_64/unistd.h
; parameters order:
; r9 ; 6th param
; r8 ; 5th param
; r10 ; 4th param
; rdx ; 3rd param
; rsi ; 2nd param
; rdi ; 1st param
; eax ; syscall_number
; syscall

format ELF64 executable

segment readable executable

entry $

mov edx,msg_size ; CPU zero extends 32-bit operation to 64-bit
; we can use less bytes than in case mov rdx,...
lea rsi,[msg]
mov edi,1 ; STDOUT
mov eax,1 ; sys_write
syscall

mov rax,4
mov rbx,1
mov rcx,msg + (-1 shl 32) ; Verified with gdb that RCX[63:32] = $ffffffff
mov rdx,msg_size
int 0x80

xor edi,edi ; exit code 0
mov eax,60 ; sys_exit
syscall

segment readable writeable

msg db 'Hello 64-bit world!',0xA
msg_size = $-msg


So Int $80 behaves as a IA32 system call even in a 64-bit process.

The exploit then http://www.securityfocus.com/archive/1/480705/30/0/threaded . It uses a 64-bit process and modifies RAX[63:32] with PTRACE_POKEUSER when a SYSCALL occurs.

I hope the kernel devels fix it by changing ptrace behaviour by masking the regs to 32-bit on 32-bit context rather than unoptimize the IA32 syscalls that obviously are used a lot more than an only casual ptrace. Or current ptrace's behaviour could be needed for something? Still, some code that mask the regs only when RIP is at IA32 SYSCALL dispatcher range could be used anyway, but I could accept fixing the dispatcher as the correct way if a mask-all-regs-on-any-32-bit-context brings incompatibility with documentation and/or existing software.
Post 01 Oct 2007, 01:58
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.