[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Mayhem: Targeted Corruption of Register and Stack Variables
From:       "Tol, Caner" <mtol () wpi ! edu>
Date:       2023-12-21 18:54:57
Message-ID: MN0PR01MB76576CBDD822AEB3A2292F23D497A () MN0PR01MB7657 ! prod ! exchangelabs ! com
[Download RAW message or body]


Our recent paper<https://arxiv.org/pdf/2309.02545.pdf> [AsiaCCS'24] describes a potential \
vulnerability where stack/register variables can be flipped via fault injection, affecting \
execution flow in security-sensitive code. There are mitigation strategies you may be \
interested in incorporating into your code:

 Take this vulnerable code, for example:

int auth = 0;

//password check code that sets auth variable

if(auth != 0)

return AUTH_SUCCESS;

else

return AUTH_FAILURE;

The idea is that any bit can be flipped in auth, and it will result in a mis-authentication. We \
prove this is a potential vulnerability in OpenSSH, OpenSSL, MySQL, and SUDO. To mitigate this, \
it is important to have tight logic such that a single-bit flip will not result in unintended \
execution. For example:

int auth = 0xbe405d1a;

// password check code that sets auth variable to 0x23ab9701 is successful

If(auth == 0x23ab9701)

               return AUTH_SUCCESS;

else

               return AUTH_FAILURE;

In this case, the auth variable must be corrupted into the exact authentication pattern, which \
is fairly improbable.



We issued CVE-2023-42465 for SUDO for this vulnerability.

Here is the patch implemented in v1.9.15.

https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f

Paper link: https://arxiv.org/abs/2309.02545



Caner Tol
___________________________
Worcester Polytechnic Institute
https://vernamlab.org<https://vernamlab.org/>



[prev in list] [next in list] [prev in thread] [next in thread]