Hi, I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. Just in case here is the analyses document of Qualys: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt Regards, Vladimir
Funny enough, we had that covered for a short while, at least better than it is now: https://www.mail-archive.com/svn-src-all at freebsd.org/msg141063.html On Tue, Jun 20, 2017 at 9:13 AM, Vladimir Terziev <vterziev at gvcgroup.com> wrote:> Hi, > > I assume FreeBSD security team is already aware about the Stack Clash > vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > Just in case here is the analyses document of Qualys: > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt > > > Regards, > > Vladimir > > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org > " >
On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote:> Hi, > > I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > Just in case here is the analyses document of Qualys: > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtFreeBSD is indeed affected. I've written a PoC, which works even with the stack guard enabled: https://github.com/lattera/exploits/blob/master/FreeBSD/StackClash/001-stackclash.c Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170620/c3c60675/attachment.sig>
On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote:> Hi, > > I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS. > > Just in case here is the analyses document of Qualys: > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtAs a follow-up, Stack Clash should now be mitigated in HardenedBSD: https://github.com/HardenedBSD/hardenedBSD/compare/de8124d3bf83d774b66f62d11aee0162d0cd1031...91104ed152d57cde0292b2dc09489fd1f69ea77c Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170620/1bf86267/attachment.sig>
On 20 June 2017 at 04:13, Vladimir Terziev <vterziev at gvcgroup.com> wrote:> Hi, > > I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS.Yes, the security team is aware of this. Improvements in stack handling are in progress (currently in review).