Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#10505 closed defect (fixed)

Broken ASLR in windows executable

Reported by: Blueberry Owned by: erinn
Priority: High Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.4.19
Severity: Keywords: tbb-security tor-client 024-backport 023-backport 025-triaged 025-backport 024-backport
Cc: erinn, tom@… Actual Points:
Parent ID: #10065 Points:
Reviewer: Sponsor:

Description

ASLR (Address Space Layout Randomization) is a windows feature to complicate writing exploits. The provided tor executable in the windows expert bundle doesn't have full ASLR support.

A windows executable must have two features to fully support ASLR:

1) In the PE header the following DllCharacteristics flag must be set IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE (0x0040). Tor has this value correctly set.

2) PE relocation table. To successfully randomize the address space of the executable, the PE loader must know what addresses need to be adjusted. Therefore to randomize the image base (standard image base: 0x00400000) the PE file must have a relocation table. Tor is missing the relocation table. As a result, the image base is always 0x00400000 and this is bad.

The linker should provide a switch to include a relocation table.

PS: Greetings from the 30C3. Nice presentation yesterday.

Child Tickets

Change History (16)

comment:1 Changed 7 years ago by nickm

Priority: normalmajor

Anybody know what we need to tell mingw-gcc at compile-time to make the right stuff happen here? This is probably something to add to the linker options in configure.ac when --enable-gcc-hardening is on.

comment:2 Changed 7 years ago by nickm

Milestone: Tor: 0.2.4.x-final

comment:3 Changed 7 years ago by cypherpunks

Last edited 7 years ago by cypherpunks (previous) (diff)

comment:4 Changed 7 years ago by cypherpunks

Last edited 7 years ago by cypherpunks (previous) (diff)

comment:5 Changed 7 years ago by Blueberry

Sorry I didn't look at the Tor Browser. Now I noticed that the Tor Browser doesn't have ASLR too. This is much more worrying, this is a major high priority bug, because it is more likely that someone will want to write exploits for the browser. Every browser really must have ASLR. It doesn't prevent exploits entirely, of course, but it helps to increase the effort. Please fix this in the Browser as soon as possible.

comment:6 Changed 7 years ago by mikeperry

Resolution: duplicate
Status: newclosed

comment:7 Changed 7 years ago by mikeperry

Keywords: tbb-security added
Parent ID: #10065
Resolution: duplicate
Status: closedreopened

comment:8 Changed 7 years ago by nickm

Keywords: tor-client 024-backport 023-backport added
Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final

Marking as backportable to all live series.

comment:9 Changed 7 years ago by andrea

Keywords: 025-triaged added

comment:10 Changed 7 years ago by nickm

Cc: helix added
Status: reopenednew

helix, my understanding is that you're working on getting the build process to do this? If so, let me know if tor itself needs to add any more options.

comment:11 Changed 7 years ago by nickm

Cc: erinn added; helix removed

woops, wrong user name

(Edited: I can't words today)

Last edited 7 years ago by nickm (previous) (diff)

comment:12 Changed 7 years ago by nickm

Owner: set to erinn
Status: newassigned

comment:13 Changed 6 years ago by nickm

Keywords: 025-backport added
Milestone: Tor: 0.2.5.x-finalTor: 0.2.6.x-final

0.2.5 won't block on this, but it's still important, and we should backport it once it's done.

comment:14 Changed 6 years ago by tom

Cc: tom@… added

comment:15 Changed 6 years ago by mikeperry

Resolution: fixed
Status: assignedclosed

comment:16 Changed 6 years ago by mikeperry

Fix should appear in 4.0-alpha-2

Note: See TracTickets for help on using tickets.