[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
security vulnerability in glibc's strfry()
|
From: |
David Endler |
|
Subject: |
security vulnerability in glibc's strfry() |
|
Date: |
Thu, 17 Jul 2003 06:33:50 -0400 |
In accordance with iDEFENSE's security vulnerability disclosure policy
(www.idefense.com/disclosure.html), we wanted to bring a security issue
to your attention. Please acknowledge receipt of this information so we
can work toward a public disclosure date that is convenient to you in
building a fix.
-dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
1875 Campus Commons Drive
Suite 210
Reston, VA 20191
voice: 703-480-5632
fax: 703-390-9456
address@hidden
www.idefense.com
Description: An exploitable buffer overflow condition exists in The GNU
Projects GNU C Library (glibc) strfry(3) function.
The vulnerability exists specifically because the strfry(3) function
does not take into account that the supplied argument string may not be
null terminated. strfry(3) is defined as:
char * strfry (char *string);
Within strfry(3) we find the following loop:
len = strlen (string);
for (i = 0; i < len; ++i)
{
...
string[i] = string[j];
If the supplied string to strfry(3) is not null terminated then the
value of 'len' will reflect a size greater then that of the buffer. The
variable 'len' is later used as the conditional and now allows an
attacker to overwrite beyond the bounds of '*string' to corrupt the
stack. The attacker can then overwrite the saved return address to alter
the flow of execution to execute arbitrary code. An example vulnerable
program may look like:
int main(int argc, char **argv)
{
char buffer[256];
strncpy(buffer, argv[1], sizeof(buffer));
strfry(buffer);
}
The following is an excerpt of the iDEFENSE proof of concept code
utilized to exploit the above sample vulnerable application:
./expl 0
...
Segmentation fault
address@hidden: gdb a.out core
...
#0 0xbfa4bfbf in ?? ()
(gdb)
The overwritten return address is out of order due to the randomizing
routine in strfry(3). Multiple tries leads to successful exploitation:
Segmentation fault (core dumped)
address@hidden: ./expl 0
...
Segmentation fault (core dumped)
address@hidden: ./expl 0
...
Segmentation fault (core dumped)
address@hidden: ./expl 0
...
Segmentation fault (core dumped)
address@hidden: ./expl 0
...
sh-2.05a$
Analysis: Any application built against glibc that utilizes the
strfry(3) function may be vulnerable to exploitation. Depending upon the
application and how data is passed to strfry(3) exploitation may be
remote or local.
The strfry(3) function randomizes the contents of string by using
rand(3) to randomly swap characters in the string. The result is an
anagram of string. The GNU C Library is used as the C library in the GNU
system and most newer systems with the Linux kernel. More information
about GNU C Library is available at
http://www.gnu.org/software/libc/libc.html .
Detection: iDEFENSE has verified glibc version 2.2.4 as vulnerable. It
is suspected that all versions of glibc less than and including version
2.3.2 implement a vulnerable strfry(3).
Workaround: Applications requiring the usage of strfry(3) should ensure
that strings passed to strfry(3) are NULL terminated. Example:
buffer[sizeof(buffer) - 1] = "\0";
strfry(buffer);
- security vulnerability in glibc's strfry(),
David Endler <=