Thursday, November 20, 2008

linux: linux-gate.so.1

I recently read very nice article by Johan Petersson about what is linux-gate.so.1 that is linked to all ELF binaries(that compiled to use shared libraries) on x86 in linux.
He mentioned that linux-gate.so.1 has always the same address in the executable.
This is rather dangerous, as described in "Exploiting with linux-gate.so.1" paper. You can exploit process via linux-gate.so.1 because it's address is always known. Moreover, it has the same address in all ELF files in the system. Determining the address of linux-gate.so.1 in any of ELF file on the machine and having exploit you are able to take control over almost every process in the system.
It's possible to manipulate vdso address or disable it completely with setting appropriate value to /proc/sys/vm/vdso_enabled:

0: no vdso at all
1: random free page(works only if /proc/sys/kernel/randomize_va_space set to 1)
2: top of the stack
Disabling it is a not good idea because the system even can become unusable. But putting it into random free page is good solution. It may break debugger and/or reduce performance a bit.

No comments: