Return into libc

from Wikipedia, the free encyclopedia

Return into libc (also return-to-libc ) is a method of attacking computer systems in order to abuse the host ( server ) to execute undesired programs .

Basic principle

Computer programs use a special storage area called the stack to variables and return addresses ( English return address ) from subroutines to manage. If the stack is now manipulated in such a way that it contains the address of another function instead of the expected return address, this function can be used to carry out the desired harmful functions . The " libc " is a collection of functions provided by the C programming language . This means that no new function needs to be brought into the running system, as is usually necessary with shellcode exploits . In this collection is z. B. a popular function "system ()", which enables the execution of any system programs. You only need one parameter, namely the command to be executed.

The manipulation of the stack is typically caused by a buffer overflow . A variable , which can only hold a certain number of characters, is assigned a longer, precisely determined character string , which then overwrites the return address located after the variable on the stack. The desired arguments for the (libc) function are also written to the stack, for example the address of a character string.

Variables can, among other things, generate such an overflow if they are e.g. B. can be transferred as parameters in a web address and these can be transferred to a CGI program . A prerequisite for such an attack, however, is a susceptible program that - contrary to common programming techniques - does not check the length of input variables.

Protection options

A non-executable stack protected by means of an NX bit can prevent malicious code from being smuggled in through code injection , but a return-to-libc attack can still be carried out, as this calls up existing code. A defense against such attacks can be achieved through ASLR . The memory addresses of the system functions are assigned randomly, so an exact return to these functions is unlikely. Stack protection mechanisms such as the Stack Smashing Protector can detect or prevent further attacks.

See also