[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] [PATCH] use stack protector on never gcc versions that support it

To: ossec-dev <ossec-dev@xxxxxxxxxxxxxxxx>
Subject: [ossec-dev] [PATCH] use stack protector on never gcc versions that support it
From: Jeff Schroeder <jeffschroed@xxxxxxxxx>
Date: Tue, 14 Aug 2007 20:24:08 -0000

A lot of people ask what good is the stack protector and don't
understand it's real use. Here is an example of what it can do:
======================================================
jeff@omniscience:~/src/c$ cat gets.c
#include <stdio.h>
int main(void) {
        char instring[20];
        printf("Please overflow my buffer: ");
        gets(instring);
        return 0;
}
jeff@omniscience:~/src/c$ gcc -fstack-protector -o gets gets.c
/tmp/cc4h1VDd.o: In function `main':
gets.c:(.text+0x2f): warning: the `gets' function is dangerous and
should not be used.

jeff@omniscience:~/src/c$ ./gets
Please overflow my buffer: Hello, my name is jeff the script kiddie
and next comes metasploit to own your box
*** stack smashing detected ***: ./gets terminated
Aborted (core dumped)
jeff@omniscience:~/src/c$ Maybe it is time to go get some milk and
cookies...

jeff@omniscience:~/src/c$ gcc -fno-stack-protector -o gets gets.c
/tmp/cciF3xXu.o: In function `main':
gets.c:(.text+0x24): warning: the `gets' function is dangerous and
should not be used.
jeff@omniscience:~/src/c$ ./gets
Please overflow my buffer: Next comes the shellcode to own the box
Segmentation fault (core dumped)
======================================================

Setting __SSP__ to 1 enables the Heuristics to only enable the SSP on
functions that benefit from it. The equivalent gcc option is -fstack-
protector. Setting __SSP_ALL__ to 2 enables SSP on every function but
has a slight performance penalty. The equivalent gcc option is -fstack-
protector-all.

The goal of this patch is to harden ossec against potential buffer
overflows even if daniel is a perfect coder.

Index: shared.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/headers/shared.h,v
retrieving revision 1.35
diff -u -r1.35 shared.h
--- shared.h    10 Aug 2007 00:56:22 -0000      1.35
+++ shared.h    14 Aug 2007 19:55:45 -0000
@@ -9,9 +9,24 @@
  * Foundation
  */

-/* v0.2 (2005/12/23): Adding 'u_int16_t' for Solaris.
+/* v0.3 (2007/12/23): Adding SSP & FORTIFY_SOURCE
<jeffschroeder@xxxxxxxxxxxx>
+ * v0.2 (2005/12/23): Adding 'u_int16_t' for Solaris.
  * v0.1 (2005/10/27): first version.
  */
+
+/*
+ *  The stack smashing protector defeats some BoF via: gcc -fstack-
protector
+ *  Reference: http://gcc.gnu.org/onlinedocs/gcc-4.1.2/cpp.pdf
+ */
+#if defined(__GNUC__) && (__GNUC__ >= 4) && (__GNUC_MINOR__ >= 1) &&
\
+    (__GNUC_PATCHLEVEL__ >= 2)
+
+/* Heuristicly enable the stack protector on sensitive functions */
+#define __SSP__ 1
+
+/* FORTIFY_SOURCE is Redhat / Fedora specific */
+#define FORTIFY_SOURCE
+#endif

 #ifndef __SHARED_H

Follow-Ups:
- [ossec-dev] Re: use stack protector on never gcc versions that support it
  - From: Jeff Schroeder

Prev by Date: [ossec-dev] [Bug 53] syscheck won't run if rootcheck is disabled
Next by Date: [ossec-dev] [Bug 54] New named rules
Previous by thread: [ossec-dev] [Bug 54] New named rules
Next by thread: [ossec-dev] Re: use stack protector on never gcc versions that support it
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.