upvote

points

by wahern8 hours ago |
comments
upvoteby dwattttt2 hours ago|
next
[-]
> The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process

They also suggest an alternative to storing the function pointer, store the bit flags that decide which function to call. That restricts the call targets to only the legitimate ones intended.

reply
upvoteby ajross8 hours ago|
prev|
next
[-]
Yeah, this blog is misguided. As a higher level criticism: it's confusing[1] the technical details with the payload with the exploit chain that deployed it.

The interesting thing is obviously not that you can get code to run at high privilege level by modifying a system component. I mean, duh, as it were.

The interesting thing is that the attackers (almost) got downstream Linux distros to suck down and deploy that malicious component for them. And that's not down to an oddball glibc feature, it happened because they got some human beings to trust a malicious actor. GNU glibc can't patch that!

[1] Incorrectly, as you point out.

reply
upvoteby ordu6 hours ago|
prev|
[-]
> The alternative they present is arguably less secure because the function pointer will remain writable for the life of the process

The article mentions this, and also points to mprotect which you can use to protect the pointer.

Why people jump to criticize without reading first? BTW, you can ask an LLM to check your critique, before posting, if you don't want to read the text.

reply
upvoteby IAmLiterallyAB6 hours ago|
parent|
[-]
Yes but at best their "solution" is equally secure, not any better.
reply
upvoteby ordu4 hours ago|
parent|
next
[-]
They argue, and I tend to agree, that their solution is more secure.

1. It impiles some function pointers to be writable temporarily, not all of them.

2. It doesn't hide writable pointers from a cursory glance not familiar with IFUNC.

reply
upvoteby anarazel3 hours ago|
parent|
[-]
The GOT has to be initially writable regardless of ifunc, even with relro, to apply relocations.
reply
upvoteby kstrauser5 hours ago|
parent|
prev|
[-]
Would xz still have been able to alter opensshd without IFUNC?
reply
upvoteby rwmj1 hours ago|
parent|
[-]
Yes, liblzma could have used multiple routes to take over sshd. Once you're running inside the process it's game over. The exact details, like how they used ifunc and an audit hook, are very interesting, but ultimately not that important.
reply