FRESH

Hacker News

No Leak, No Problem – Bypassing ASLR with a ROP Chain to Gain RCE

113 points by todsacerdoti

by nneonneo

2 subcomments

If I read this correctly, they’re “bypassing ASLR” because the binary isn’t PIE, so it’s loaded at a static address.
I would not consider this actually bypassing ASLR, because ASLR is already turned off for a critically important block of code. Practically any large-enough binary has gadgets that can be useful for ROP exploitation, even if chaining them together is somewhat painful. For ASLR to be a reasonably effective mitigation, every memory region needs to be randomized.

by BiraIgnacio

0 subcomment

"No Leak, No Problem - Bypassing Address Space Layout Randomization with a Return-Oriented Programming Chain to Gain Remote Code Execution"
Expanding it, perhaps to the benefit of others like me.

by alchemio

0 subcomment

The most shocking part is the absence of stack canaries. I know there are issues with them on microcontrollers, but still I would assume they’re enabled by default by the compiler.

by OneLessThing

0 subcomment

Good job. It’s early 2000s level stuff but it’s still exciting when it’s happening on your desk. There are lots of options in this scenario outside of bypassing ASLR so I do find it odd to be the main feature of the title, but a fun read nonetheless.
It’s fun working on targets with a less established research history. And I love a soup to nuts writeup, Thanks.

by manwe150

0 subcomment

I’m somewhat curious why GOT and PLT are ever mapped readable these days, when it could have been only mapped readable and then glibc use one of the various API tricks that other JIT (ld.so is obviously a JIT too) often use to write to memory indirectly while maintaining security hardening, such as maintaining a dual mapping for writing at a random address offset from the readonly fixed address section. That way there is never a partial relo vs PIE vs performance vulnerability tradeoff

by kingforaday

1 subcomments

You typically don't see ASLR enabled on these armhf embedded devices. I see the statement by the author, " quickly confirmed on the device that address space layout randomization (ASLR) was enabled...", but how was it quickly checked? What was the output of /proc/sys/kernel/randomize_va_space?
Also not familiar at all with the checksec program, but from my look at the documentation, you expect to see PIE enabled not DSO (which implies dynamic shared object).

by throwaway978FA

0 subcomment

System architecture routing to /temp/ in order for bypassing ipc_server parameter, which ASLR memcpy string encoding stacks to the 516 byte buffer during overflow.