Dark side of the ELF - leveraging dynamic loading to pwn noobs

DEF CON 23

Presented by: Alessandro Di Federico, Yan Shoshitaishvili
Date: Thursday August 06, 2015
Time: 17:00 - 17:50
Location: DEF CON 101

The ELF format is ancient, and much mystery lurks in its dark depths. For 16 years, it has safely encompassed our software, providing support for binary loading, symbol resolution, and lots of very useful binary stuff. In that time, security has become a key concern, resulting in binary defenses like NX and ASLR, which have made exploiting vulnerabilities quite difficult. ASLR, for example, randomizes the location of the stack, the heap, libraries, and (optionally), the binary itself at every execution of an application.

There is no easy way to say this: ELF has let us down. In this talk, we'll explore the dark side of ELF. Specifically, we'll show how ELF, by design, implicitly trusts data structures in the ELF headers. Even in the presence of ASLR, an attacker able to corrupt these headers can trick the ELF loader into calling any function in any linked-in library, providing nothing but the name of the binary. In essence, this technique allows an attacker to call arbitrary library functions (such as system()!) without leaking memory addresses. We call this technique Leakless.

While developing Leakless, we checked many different implementations of the standard C library and found that Leakless can be adapted to attack the ELF loader implementations in all of the common ones (i.e., GNU libc, the libc of the major BSDs, and uClibc). In this talk, we'll describe the internals of the ELF format, show how Leakless works to subvert library function resolution, and demonstrate how it can be use to carry out attacks without information disclosures. And, of course, we'll open-source the tool that we developed to make carrying out this attack easier.

Alessandro Di Federico

Alessandro is a PhD student at Politecnico Di Milano, right under that leaning tower. In his spare time, he hacks with Tower of Hanoi. He likes exploitation and doing really crazy stuff, on and off the computer!

Yan Shoshitaishvili

Hacking since the age of eight, Yan Shoshitaishvili is fascinated by understanding and commandeering the computation and actions carried out by binary code. He is currently pursuing his PhD in the Seclab at UC Santa Barbara and is one of the hacking aces behind team Shellphish. In the little spare time he has left, he develops and releases computer security tools on the Internet.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats