Intel e100/1000 Local Privilege Escalation & PAX
Posted: Wed Dec 13, 2006 3:45 pmI was recently informed of an Intel network driver local privilege escalation and I was curious as to how/if PAX can prevent this attack.
From the description of the attack:
Full text of the exploit description: http://www.securityfocus.com/archive/1/453852
I'm betting that PAX ASLR makes this type of exploit impossible. It seems to me that the user space code would not know which address to supply while overwriting the return address and would therefore segfault. Am I correct in this assumption?
To me this means the difference between making a mad dash to upgrade e1000/e100 drivers on hundreds of servers, or doing it as I get the time in a more controlled manner.
From the description of the attack:
http://research.eeye.com wrote:Therefore, supplying a 0x17A-character string (at offset +0x0C within
the output buffer, because NDIS uses the first 8 bytes for its own
purposes) will cause the handler function's return address to be
entirely overwritten, allowing execution to be redirected to an
arbitrary user- or kernel-mode address.
Full text of the exploit description: http://www.securityfocus.com/archive/1/453852
I'm betting that PAX ASLR makes this type of exploit impossible. It seems to me that the user space code would not know which address to supply while overwriting the return address and would therefore segfault. Am I correct in this assumption?
To me this means the difference between making a mad dash to upgrade e1000/e100 drivers on hundreds of servers, or doing it as I get the time in a more controlled manner.