The Stack Clash vulnerability

Tue Jun 20 13:34:28 UTC 2017

Right, because I use libprocstat. Instead of using libprocstat to
dynamically figure out the start of the stack, you can do other tricks
to find out where the stack lies. Feel free to modify the code to better
suit your environment.

On Tue, Jun 20, 2017 at 02:32:17PM +0100, Pawel Biernacki wrote:
> Hi Shawn,
> 
> Nice p0c, but it don't work with security.bsd.unprivileged_proc_debug=0,
> which was initially enabled in the menu with hardening options.
> 
> Pawel.
> 
> 
> On 20 June 2017 at 14:15, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
> 
> > On Tue, Jun 20, 2017 at 08:13:46AM +0000, Vladimir Terziev wrote:
> > > Hi,
> > >
> > > I assume FreeBSD security team is already aware about the Stack Clash
> > vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS.
> > >
> > > Just in case here is the analyses document of Qualys:
> > >
> > > https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
> >
> > FreeBSD is indeed affected. I've written a PoC, which works even with
> > the stack guard enabled:
> >
> > https://github.com/lattera/exploits/blob/master/FreeBSD/
> > StackClash/001-stackclash.c
> >
> > Thanks,
> >
> > --
> > Shawn Webb
> > Cofounder and Security Engineer
> > HardenedBSD
> >
> > GPG Key ID:          0x6A84658F52456EEE
> > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
> >
> 
> 
> 
> -- 
> One of God's own prototypes. A high-powered mutant of some kind never
> even considered for mass production. Too weird to live, and too rare to die.

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170620/46b7c579/attachment.sig>