A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. This allows attackers to call pre-existing functions without the need to inject malicious code into a program.

On Linux and other GNU systems the shared library "libc" provides the POSIX C runtime, such as the system() call to execute an arbitrary program. Although the attacker could make the code return to anywhere, these functions are particularly useful and always exist in any program, making a function in libc the most likely target of a real exploit, thus providing the name for this exploit.

Protection from return-to-libc attacks

A non-executable stack can prevent some buffer overflows, but not a return-to-libc attack: only existing, executable code is used. On the other hand, these attacks can only call pre-existing functions. Stack-smashing protection can prevent or obstruct exploitation, as it can detect the corruption of the stack. Address space layout randomization makes this type of attack extremely difficult, as the locations of all functions in memory are random.

See also

• Buffer Overflow
• Stack-smashing protection
• No eXecute bit
• Address space layout randomization

Certain Host-Based Intrusion Prevention products can provide specific protection from Return-to-LIBC atacks.

External links

• Bypassing non-executable-stack during exploitation using return-to-libc by c0ntex at InfoSecWriters.com

Security exploits | C standard library

Атака возврата в библиотеку