Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7789a6d5-92c9-4239-8a07-7b0131ed166b@lexfo.fr>
Date: Mon, 27 May 2024 11:16:53 +0200
From: Charles Fol <c.fol@...fo.fr>
To: oss-security@...ts.openwall.com
Subject: Re: The GNU C Library security advisories update for
 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix
 out-of-bound writes when writing escape sequence

Hello all,

Although very late, here is a follow up explaining the impact of the 
vulnerability.

Provided that you can force an application to convert a partially 
controlled buffer to ISO-2022-CN-EXT, you get an
overflow of 1 to 3 bytes whose value you don't control.

This can be triggered in at least two ways in PHP:

- Through direct calls to iconv()
- Through the use of PHP filters (i.e. using a "file read" vulnerability)

Due to the way PHP's heap is built, you can use such a memory corruption 
to alter part of a free list pointer,
which can in turn give you an arbitrary write primitive in the program's 
memory.

With this bug, any person that has a file read vulnerability with a 
controlled prefix on a PHP application has RCE.
Any person that can force PHP into calling iconv() with controlled 
parameters has RCE.

We have provided more explanations on a blogpost of ours (I do not think 
that I can post it here, it shouldn't be too
hard to find if you're interested).

Best regards,
Charles

On 18/04/2024 18:42, Solar Designer wrote:
> On Wed, Apr 17, 2024 at 02:36:02PM -0300, Adhemerval Zanella Netto wrote:
>> GLIBC-SA-2024-0004:
>> ===================
>> ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
>>
>> The iconv() function in the GNU C Library versions 2.39 and older may
>> overflow the output buffer passed to it by up to 4 bytes when converting
>> strings to the ISO-2022-CN-EXT character set, which may be used to
>> crash an application or overwrite a neighbouring variable.
>>
>> ISO-2022-CN-EXT uses escape sequences to indicate character set changes
>> (as specified by RFC 1922).  While the SOdesignation has the expected
>> bounds checks, neither SS2designation nor SS3designation have its;
>> allowing a write overflow of 1, 2, or 3 bytes with fixed values:
>> '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
>>
>> CVE-Id: CVE-2024-2961
>> Public-Date: 2024-04-17
>> Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
>> Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
>> Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
>> Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
>> Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
>> Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
>> Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
>> Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
>> Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
>> Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
>>
>> Reported-By: Charles Fol
> I hope Charles will share further detail with oss-security in due time,
> but meanwhile his upcoming OffensiveCon talk abstract reveals a bit:
>
> https://www.offensivecon.org/speakers/2024/charles-fol.html
>
>> CHARLES FOL
>> ICONV, SET THE CHARSET TO RCE: EXPLOITING THE GLIBC TO HACK THE PHP ENGINE
>>
>> Abstract
>> A few months ago, I stumbled upon a 24 years old buffer overflow in the
>> glibc. Despite being reachable in multiple well-known libraries or
>> programs, it proved rarely exploitable. Indeed, this was not a foos bug:
>> with hard-to-achieve preconditions, it did not even provide a nice
>> primitive. On PHP however, it lead to amazing results: a new
>> exploitation technique that affects the whole PHP ecosystem, and the
>> compromission of several applications.
>>
>> This talk will first walk you through the discovery of the bug and its
>> limitations, before describing the conception of several remote binary
>> PHP exploits, and through them offer unique insight in the internal of
>> the engine of the web language, and the difficulties one faces when
>> exploiting it.
>>
>> BIO
>> Charles Fol, also known as cfreal, is a security researcher at LEXFO /
>> AMBIONICS. He has discovered remote code execution vulnerabilities
>> targeting renowned CMS and frameworks such as Drupal, Magento, Symfony
>> or Laravel, but also enjoys binary exploitation, to escalate privileges
>> (Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen,
>> Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to
>> tool to exploit PHP deserialization, and an expert in PHP internals.
> The event is on May 10-11th, so in 3 weeks from now.
>
> Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.