A "return-to-libc" attack is a
computer security
Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
attack usually starting with a
buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memo ...
in which a subroutine
return address
In postal mail, a return address is an explicit inclusion of the address of the person sending the message. It provides the recipient (and sometimes authorized intermediaries) with a means to determine how to respond to the sender of the message i ...
on a
call stack
In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or mac ...
is replaced by an address of a subroutine that is already present in the
process executable memory, bypassing the
no-execute bit feature (if present) and ridding the attacker of the need to
inject their own code. The first example of this attack in the wild was contributed by
Alexander Peslyak
Alexander Peslyak (Александр Песляк) (born 1977), better known as Solar Designer, is a security specialist from Russia. He is best known for his publications on exploitation techniques, including the return-to-libc attack and the ...
on the
Bugtraq Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume ...
mailing list in 1997.
On
POSIX
The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming in ...
-compliant
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
s the
C standard library
The C standard library or libc is the standard library for the C programming language, as specified in the ISO C standard. ISO/IEC (2018). '' ISO/IEC 9899:2018(E): Programming Languages - C §7'' Starting from the original ANSI C standard, it was ...
("
libc
") is commonly used to provide a standard
runtime environment
In computer programming, a runtime system or runtime environment is a sub-system that exists both in the computer where a program is created, as well as in the computers where the program is intended to be run. The name comes from the compile ...
for programs written in the
C programming language
''The C Programming Language'' (sometimes termed ''K&R'', after its authors' initials) is a computer programming book written by Brian Kernighan and Dennis Ritchie, the latter of whom originally designed and implemented the language, as well a ...
. Although the attacker could make the code return anywhere,
libc
is the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the
system
A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and express ...
function used to execute shell commands).
Protection from return-to-libc attacks
A
non-executable stack can prevent some buffer overflow exploitation, however it cannot prevent a return-to-libc attack because in the return-to-libc attack only existing executable code is used. On the other hand, these attacks can only call preexisting functions.
Stack-smashing protection Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior ...
can prevent or obstruct exploitation as it may detect the corruption of the stack and possibly flush out the compromised segment.
"
ASCII armoring
A binary-to-text encoding is encoding of data in plain text. More precisely, it is an encoding of binary data in a sequence of printable characters. These encodings are necessary for transmission of data when the channel does not allow binary dat ...
" is a technique that can be used to obstruct this kind of attack. With ASCII armoring, all the system libraries (e.g., libc) addresses contain a
NULL byte (
0x00
). This is commonly done by placing them in the first
0x01010101
bytes of memory (a few pages more than 16 MB, dubbed the "ASCII armor region"), as every address up to (but not including) this value contains at least one NULL byte. This makes it impossible to emplace code containing those addresses using string manipulation functions such as
strcpy()
. However, this technique does not work if the attacker has a way to overflow NULL bytes into the stack. If the program is too large to fit in the first 16
MB, protection may be incomplete. This technique is similar to another attack known as return-to-plt where, instead of returning to libc, the attacker uses the Procedure Linkage Table (PLT) functions loaded in the
position-independent code
In computing, position-independent code (PIC) or position-independent executable (PIE) is a body of machine code that, being placed somewhere in the primary memory, executes properly regardless of its absolute address. PIC is commonly used fo ...
(e.g.,
system@plt, execve@plt, sprintf@plt, strcpy@plt
).
Address space layout randomization
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited f ...
(ASLR) makes this type of attack extremely unlikely to succeed on
64-bit machines as the memory locations of functions are random. For
32-bit systems, however, ASLR provides little benefit since there are only 16 bits available for randomization, and they can be defeated by
brute force
Brute Force or brute force may refer to:
Techniques
* Brute force method or proof by exhaustion, a method of mathematical proof
* Brute-force attack, a cryptanalytic attack
* Brute-force search, a computer problem-solving technique
People
* Brut ...
in a matter of minutes.
See also
*
Buffer overflow
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly whereby a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Buffers are areas of memo ...
*
Stack buffer overflow
*
Stack-smashing protection Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior ...
*
No eXecute (NX) bit
*
Address space layout randomization
Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited f ...
*
Return-oriented programming
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
In this technique, an attacker gains cont ...
*
Gadget (machine instruction sequence)
Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.
In this technique, an attacker gains cont ...
*
Unintended instructions
An illegal opcode, also called an unimplemented operation, unintended opcode or undocumented instruction, is an instruction to a CPU that is not mentioned in any official documentation released by the CPU's designer or manufacturer, which nev ...
References
{{reflist
External links
Bypassing non-executable-stack during exploitation using return-to-libcby c0ntex at css.csail.mit.edu
Computer security exploits
C standard library