Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Paper notes: Position-independent Code Reuse
Mon 02 April 2018 — download

Most of the time, you either need a leak or a side-channel to bypass ASLR, the paper claims that you don't, if you have a non-linear relative memory write (OOB access on arrays, type confusion, user-after-free, …). The exploitation process is divided in 4 phases:

  1. Stack massaging: for function calls, (randomized) values/arguments/code pointers/… are pushed on the stack and never cleared. The goal of this step is to make the program write useful data/pointers on the stack.
  2. Patch least-significant bits of code pointers on the stack that aren't usually subject to ASLR.
  3. Patch least-significant bits of data/operand on the stack. We now have a complete ROP-chain: data and pointer to gadgets.
  4. Jump to the payload location to execute it

Although no code is published, the authors demonstrate on Youtube their exploit for CVE-2012-5976 (Asterisk) and kinda-CVE-2016-1977 (Firefox).

This approach bypasses more or less any randomisation-based mitigations, since for performance reasons, code must be aligned.

The paper is well written and full of interesting thoughts and details, you should read it.