| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8noAwqzQQVwW=zD2c9MO1oqhF2yqTFxwvBnYjWiFXSLRA@mail.gmail.com>
Date: Sun, 20 Oct 2013 13:26:59 -0400
From: Jeffrey Walton <noloader@...il.com>
To: x90c <geinblues@...il.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: glibc 2.5 <= reloc types to crash bug
> switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
> // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
> *reloc_addr = value;
> break;
> }
> // XXX BUG: 'defaults:' label not exists!
I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).
> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
How, precisely, are you writing to those 4 bytes? Or are you saying
they are garbage (which leads to a crash)?
Jeff
On Sun, Oct 20, 2013 at 7:05 AM, x90c <geinblues@...il.com> wrote:
> +---------------------------------------------------------+
> | XADV-2013002 glibc 2.5 <= reloc types to crash bug |
> +---------------------------------------------------------+
>
> Vulnerable versions:
> - glibc 2.5 <=
> Not vulnerable versions:
> - glibc 2.6 >=
> Testbed: linux distro
> Type: Local
> Impact: crash
> Vendor: https://www.gnu.org/software/libc
> Author: x90c <geinblues *nospam* gmail dot com>
> Site: x90c.org
>
>
> =========
> ABSTRACT:
> =========
>
> [Unspecified reloc types bug]
> 'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5
> defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the
> vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In
> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
> ('defaults:' label process unspecified reloc types to
> calc reloc addr)
>
> The vulnerable function sets *reloc_addr_arg as 5rd argument
> (to reloc addr). and calc reloc addr. The unspecified reloc types
> passed Improper value(on elf binary) on reloc_addr. An elf binary
> with altered unspecified reloc_types to crash. BUG!
>
> The bug can be used for rootkit technique via altering the ELF object.
>
> =========
> DETAILS:
> =========
>
> glibc-2.5/dl-machine.h
> ----
> auto inline void
> __attribute ((always_inline))
> elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc,
> const Elf32_Sym *sym, const struct r_found_version *version,
> void *const reloc_addr_arg)
> {
> // reloc_addr = reloc_addr_arg(5rd argument as relative jump)
> Elf32_Addr *const reloc_addr = reloc_addr_arg;
>
> ...
>
> switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
> // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
> *reloc_addr = value;
> break;
> }
> // XXX BUG: 'defaults:' label not exists!
> ...
>
> }
> #endif /* !RTLD_BOOTSTRAP */
> ----
>
>
> ===============
> EXPLOIT CODES:
> ===============
> Altering reloc types on the ELF binary.
>
> =============
> PATCH CODES:
> =============
> add 'defaults:' label on above relocation code
> If RTLD_BOOTSTRAP defined.
>
>
> ===============
> VENDOR STATUS:
> ===============
> 2012/09/04 - The bug Discovered.
> 2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db.
>
> ...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists