lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 20 Oct 2013 13:26:59 -0400
From: Jeffrey Walton <noloader@...il.com>
To: x90c <geinblues@...il.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: glibc 2.5 <= reloc types to crash bug

>       switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
>           // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
>  *reloc_addr = value;
>  break;
> }
> // XXX BUG: 'defaults:' label not exists!
I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).

> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
How, precisely, are you writing to those 4 bytes? Or are you saying
they are garbage (which leads to a crash)?

Jeff

On Sun, Oct 20, 2013 at 7:05 AM, x90c <geinblues@...il.com> wrote:
> +---------------------------------------------------------+
> | XADV-2013002 glibc 2.5 <= reloc types to crash bug       |
> +---------------------------------------------------------+
>
>  Vulnerable versions:
>  - glibc 2.5 <=
>  Not vulnerable versions:
>  - glibc 2.6 >=
>  Testbed: linux distro
>  Type: Local
>  Impact: crash
>  Vendor: https://www.gnu.org/software/libc
>  Author: x90c <geinblues *nospam* gmail dot com>
>  Site: x90c.org
>
>
> =========
> ABSTRACT:
> =========
>
> [Unspecified reloc types bug]
> 'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5
> defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the
> vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In
> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
> ('defaults:' label process unspecified reloc types to
>   calc reloc addr)
>
> The vulnerable function sets *reloc_addr_arg as 5rd argument
> (to reloc addr). and calc reloc addr. The unspecified reloc types
> passed Improper value(on elf binary) on reloc_addr. An elf binary
> with altered unspecified reloc_types to crash. BUG!
>
> The bug can be used for rootkit technique via altering the ELF object.
>
> =========
> DETAILS:
> =========
>
> glibc-2.5/dl-machine.h
> ----
> auto inline void
> __attribute ((always_inline))
> elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc,
> const Elf32_Sym *sym, const struct r_found_version *version,
> void *const reloc_addr_arg)
> {
>   // reloc_addr = reloc_addr_arg(5rd argument as relative jump)
>   Elf32_Addr *const reloc_addr = reloc_addr_arg;
>
> ...
>
>       switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
>           // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
>  *reloc_addr = value;
>  break;
> }
> // XXX BUG: 'defaults:' label not exists!
> ...
>
> }
> #endif /* !RTLD_BOOTSTRAP */
> ----
>
>
> ===============
> EXPLOIT CODES:
> ===============
> Altering reloc types on the ELF binary.
>
> =============
> PATCH CODES:
> =============
> add 'defaults:' label on above relocation code
> If RTLD_BOOTSTRAP defined.
>
>
> ===============
> VENDOR STATUS:
> ===============
> 2012/09/04 - The bug Discovered.
> 2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db.
>
> ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ