Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20240527113430.GA14378@openwall.com>
Date: Mon, 27 May 2024 13:34:30 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

On Mon, May 27, 2024 at 11:16:53AM +0200, Charles Fol wrote:
> Although very late, here is a follow up explaining the impact of the 
> vulnerability.
> 
> Provided that you can force an application to convert a partially 
> controlled buffer to ISO-2022-CN-EXT, you get an
> overflow of 1 to 3 bytes whose value you don't control.
> 
> This can be triggered in at least two ways in PHP:
> 
> - Through direct calls to iconv()
> - Through the use of PHP filters (i.e. using a "file read" vulnerability)
> 
> Due to the way PHP's heap is built, you can use such a memory corruption 
> to alter part of a free list pointer,
> which can in turn give you an arbitrary write primitive in the program's 
> memory.
> 
> With this bug, any person that has a file read vulnerability with a 
> controlled prefix on a PHP application has RCE.
> Any person that can force PHP into calling iconv() with controlled 
> parameters has RCE.
> 
> We have provided more explanations on a blogpost of ours (I do not think 
> that I can post it here, it shouldn't be too
> hard to find if you're interested).

Surely you can post a link to a blog post, although we strongly prefer
that besides the link you also post a plain text copy of most content,
for archival.

I assume you refer to:

https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

This ends with:

> This concludes the first part of the series on CNEXT (CVE-2024-2961).
> The exploit is now available on our GitHub. There is still much more to
> explore: what about direct calls to iconv() ? What happens the file read
> is blind?
> 
> In part 2, we'll dive deeper in the PHP engine to target an iconv() call
> found in a very popular PHP webmail. I'll describe the impact of such
> direct calls on the PHP ecosystem, and show you some unexpected sinks.
> Finally, in part 3, we'll cover blind file read exploitation.

The GitHub link is:

https://github.com/ambionics/cnext-exploits/

I understand it'd be difficult to convert a so nicely formatted blog
post into a plain text posting, but perhaps you can now post the plain
text description you had shared with the distros list?

Are your OffensiveCon slides online or will be soon?  A link to them can
also be shared.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.