[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Mayhem: Targeted Corruption of Register and Stack Variables
From: "Tol, Caner" <mtol () wpi ! edu>
Date: 2023-12-21 18:54:57
Message-ID: MN0PR01MB76576CBDD822AEB3A2292F23D497A () MN0PR01MB7657 ! prod ! exchangelabs ! com
[Download RAW message or body]
Our recent paper<https://arxiv.org/pdf/2309.02545.pdf> [AsiaCCS'24] describes a potential \
vulnerability where stack/register variables can be flipped via fault injection, affecting \
execution flow in security-sensitive code. There are mitigation strategies you may be \
interested in incorporating into your code:
Take this vulnerable code, for example:
int auth = 0;
//password check code that sets auth variable
if(auth != 0)
return AUTH_SUCCESS;
else
return AUTH_FAILURE;
The idea is that any bit can be flipped in auth, and it will result in a mis-authentication. We \
prove this is a potential vulnerability in OpenSSH, OpenSSL, MySQL, and SUDO. To mitigate this, \
it is important to have tight logic such that a single-bit flip will not result in unintended \
execution. For example:
int auth = 0xbe405d1a;
// password check code that sets auth variable to 0x23ab9701 is successful
If(auth == 0x23ab9701)
return AUTH_SUCCESS;
else
return AUTH_FAILURE;
In this case, the auth variable must be corrupted into the exact authentication pattern, which \
is fairly improbable.
We issued CVE-2023-42465 for SUDO for this vulnerability.
Here is the patch implemented in v1.9.15.
https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f
Paper link: https://arxiv.org/abs/2309.02545
Caner Tol
___________________________
Worcester Polytechnic Institute
https://vernamlab.org<https://vernamlab.org/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic