lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <51E43DC6.7040304@upv.es>
Date: Mon, 15 Jul 2013 20:21:58 +0200
From: Hector Marco <hecmargi@....es>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
 oss-security@...ts.openwall.com
Subject: CVE-2013-4788 - Eglibc PTR MANGLE bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

The following is a bug that we found while we were working around
stack smashing protection techniques.


Title: CVE-2013-4788 - Eglibc PTR MANGLE bug


0.- Description

This bug was discovered in March 2013 while we were developing the RAF SSP
technique. The glibc bug makes it easy to take advantage of common
errors such
as buffer overflows allows in these cases redirect the execution flow and
potentially execute arbitrary code.


1.- Impact

All statically linked applications compiled with glibc and eglibc are
affected,
independent of the operating system distribution. Note that this problem
is not
solved by only patching the eglibc, but it is also necessary to
recompile all
static executables.  As far I know there are a lot of routers, embedded
systems
etc., which use static linked applications. Since the bug is from the
beginning
of the PTR_MANGLE implementations (years 2005-2006) there are a ton of
vulnerable devices.


2.- Vulnerable packages

The bug has been propagated to all the static code compiled with all
versions,
on all architectures, of glibc from 2.4 (06-Mar-2006) to 2.17 (Current
version).


3.- Vulnerability

The vulnerability is caused due to the non initialization to a random
value (it
is always zero) of the "pointer guard" by the glibc only when generating
static
compiled executables. Dynamic executables are not affected. Pointer guard is
used to mangle the content of sensible pointers (longjmp, signal handlers,
etc.), if the pointer guard value is zero (non-initialized) then it is not
effective.   An example:  Library functions like "setjmp()" or
"longjmp()" use
PTR_MANGLE and PTR_DEMANGLE. These macros are used to protect structures
like
jmp_buf. Basically consist on XOR-ing the pointer value with a random
32/64-bit
value. Since the pointer guard (random value) is 0x0 the attacker can easily
calculate off-line the value of a target address. By overwriting the "env"
structure with the pre-computed address the vulnerability is triggered when
longjmp() is called and the execution flow is redirected to attacker
address.

4.- Exploit

The bug was tested with Debian 7.1 and Ubunu 12.04 LTS and 13.04). I already
created a proof of concept to exploit this vulnerability for both 32 and 64
bits x86 architectures.   The proof of concept poc-bug-mangle.c redirect the
execution flow to a function which prompt a shell. This exploit can be
compiled
for both i386 and x86_64 architectures. More architectures can be added
easily
by adding the correspondent defines.  

Compilation for i386:
   gcc poc-bug-mangle.c -o poc-bug-mangle -static

Compilation for x86_64:
   gcc poc-bug-mangle.c -o poc-bug-mangle_32 -static -m32
   gcc poc-bug-mangle.c -o poc-bug-mangle_64 -static -m64

Execution output:
   box@....upv.es:~$ ./poc-bug-mangle
   [+] Exploiting ...
   [+] hacked !!
   $



5.- FIX

Note that the bug is not solved by only patching the eglibc, but it is also
necessary to recompile all static executables. I have created a non official
patch ptr_mangle-eglibc-2.17.patch for the gblic-2.17.  

Patching glibc-2.17:
   wget http://hmarco.org/bugs/patches/ptr_mangle-eglibc-2.17.patch
   cd glibc-2.17
   patch -p1 < ../ptr_mangle-eglibc-2.17.patch


6.- Discussion

Although this bug is not exploitable by itself, the truth is that the PTR
Mangle encryption is useless. The goal of the protection technique is not
achieved.  This can be seen as the canary stack is set to 0x0, although
is not
exploitable by itself is clearly an issue. What about whether the canary has
been set to zero from 2006 to today ? This is what happened with the
pointers
protected with this mechanism.   According to Ulrich_Drepper to use
"encryption
pointers (instead of canaries) to protect structures like jmp_buf is at
least
as secure and in addition faster". Following the above and since the
protection
mechanism is useless from the first implementation, the number of
potentially
affected systems could be huge.

Patch and exploit source code:

http://hmarco.org/bugs/CVE-2013-4788.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJR5D3CAAoJEI9kAsYMQl6irpMQAJ7vGyBETTHeyURqLmKUgofg
YRnK1ia/CszGyNSZVTCF6NIv6JMtaXsF3xvITk0dj68WMtc5DdTSMkw2XQSwzBJv
Vlh8QE6KayM+D0esBy6m7+7dLcPyshW4zTKzU6vQwAkxB+PdRKPuEwnVO3hoqtB/
cwiAhk7J2m5sTkKWVz48JJG/f6EjJRZJLaB6J2pzHPijvBCGmTeXLU4+9RnO4i0q
CoPcJai5uwDk9yRtj2iwbnHj6PIdSeJj3Sw3UJwZb9vF5gX2FQdSQJTc3yvzc3+7
UMHzuEcScFXWPJpKZGuiHU43sBu9pKvye3MUroEOcG6e4woncABRYRSQzDriN/AJ
aUpmvaFtllCA9es286GTBVN7/GGlpLb0PyfdfQW9cVgPqpFZ7Z5GQFMa+pZ/nPRZ
gM4aa2YFveQckBJS14yVMz/lyixcVxpEQH0lJbLYO6L9G+0kdaK8knUMR5q9SFYZ
GkUzauDkzsGUmDrCvam9mYqc55HOmyQETIfu34SorTOnhD2Seg+BWujbU3BJ2NI1
qIp8SrmX+7V75Jsy9p5/LzkjDXyAoSlwi/RchhtCo5Ih99ZJgjlDrtuR9C+GVBL9
36IemhVfUdM0SFIUJVcCfSMPlrZO/eCCWRnJmTCUBhox9dZ01dUHMNC0h2q/gdxt
Bp4l0er3CX70KglD5YIx
=gFhS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ