Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi people.
Buffer overflow , format strings and even return to glibc has enough documentation , exploit code and CVE's listed for a security researchers or searchers .
But if you go through PAX -> mprotect or PAX-> disable text relocations , the only thing you notice a suggestion to ensure every single line of code in your system should be Position Independent .
What is surprising is there doesn't seem to be a single known exploit that reflects how a NON-PIC code can be used to execute shell code attacks.
With or without PAX , How is NON-PIC code vulnerable?
Please answer the question citing or redirecting me to a simple example.
"(..)text relocations, caused by non-PIC code in shared libraries, are bad, because they prevent those memory pages from being shared. (..) means that the dynamic linker has to make memory pages, which are otherwise read-only, temporarily writable. The period in which the pages are writable is usually brief, only until all non-lazy relocations for the object are handled. But even this brief period could be exploited by an attacker. In a malicious attack code regions could be overwritten with code of the attacker’s choice and the program will execute the code blindly if it reaches those addresses.
During the program startup period this is not possible since there is no other thread available which could perform the attack while the pages are writable. The same is not true if later, when the program already executes normal code and might have start threads, some DSOs are loaded dynamically with dlopen. For this reason creating DSOs with text relocation means unnecessarily increasing the security problems of the system."
Reading Deppers paper, the (excellent) Gentoo docs on PAX and this you can say it's not about exploiting this in the practical sense but about exploitability, trying to close one more loophole. I'm sure that if any exploits exist you can find them yourself. LQ is not the place to promote that kind of stuff.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
